CVE-2026-20127
Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability - [Actively Exploited]
Description
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
INFO
Published Date :
Feb. 25, 2026, 5:25 p.m.
Last Modified :
Feb. 26, 2026, 4:20 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
Unknown
CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems ; https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk ; https://nvd.nist.gov/vuln/detail/CVE-2026-20127
Affected Products
The following products are affected by CVE-2026-20127
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Apply vendor-supplied security updates for Cisco Catalyst SD-WAN.
- Implement strict access controls for network management interfaces.
- Monitor systems for suspicious authentication attempts.
- Review and restrict NETCONF access privileges.
Public PoC/Exploit Available at Github
CVE-2026-20127 has a 16 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-20127.
| URL | Resource |
|---|---|
| https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk | Vendor Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20127 | US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-20127 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-20127
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
An exploit for the Cisco Catalyst SD-WAN Controller authentication bypass vulnerability, CVE-2026-20127
Ruby
Cisco SD-WAN Exposure & Potential Vulnerability Scanner (Passive Fingerprinting) 2026
Python
None
Python Java
Cisco Catalyst SD-WAN 身份验证绕过漏洞(CVE-2026-20127)利用EXP
Java Python
CVE-2026‑20127 – Remote Authentication Bypass for Cisco Catalyst SD‑WAN
cve-2026-20127 cisco-sd-wan-rce cisco
Python Java
None
Python Java
None
Python
None
Rust Python
None
Shell
None
Python Shell TypeScript JavaScript Go Rust HTML
BlueFalconInk CISA ED 26-03 Compliance Tracker - Rapid-response Streamlit app for Cisco SD-WAN vulnerability mitigation (CVE-2026-20127, CVE-2022-20775)
Dockerfile Python
None
Honeypot with counter-attack and IA to deliver better payloads
Python Dockerfile HTML JavaScript Shell
一个 CVE 漏洞预警知识库,无 exp/poc,部分包含修复方案。A knowledge base of CVE security vulnerability, no PoCs/exploits.
TOP All bugbounty pentesting CVE-2023- POC Exp RCE example payload Things
bugbounty cve exp exploit payload poc rce vulnerability
Shell
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-20127 vulnerability anywhere in the article.
-
Hackread - Cybersecurity News, Data Breaches, AI and More
US Agencies Face CISA Deadline Over Critical Cisco SD-WAN Flaw
US government departments are facing a major deadline in a high-stakes effort to reclaim their networks from intruders who have been hiding in the system for years. This intensive cleanup follows the ... Read more
-
security.nl
Amerikaanse overheid moet Cisco SD-WAN-logs met cyberagentschap delen
Amerikaanse overheidsinstanties moeten de logs van hun Cisco SD-WAN-systemen met het Amerikaanse cyberagentschap CISA delen. Het CISA heeft hiervoor een nieuw noodbevel afgegeven. Aanleiding is actief ... Read more
-
security.nl
Securitybedrijf meldt grootschalig misbruik van kritiek Cisco SD-WAN-lek
Aanvallers maken op grote schaal misbruik van een kritieke kwetsbaarheid in Cisco Catalyst SD-WAN Controller, zo stelt securitybedrijf WatchTowr. Onlangs liet het Nationaal Cyber Security Centrum (NCS ... Read more
-
The Hacker News
OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues
OpenAI on Friday began rolling out Codex Security, an artificial intelligence (AI)-powered security agent that's designed to find, validate, and propose fixes for vulnerabilities. The feature is avail ... Read more
-
The Hacker News
Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model
Anthropic on Friday said it discovered 22 new security vulnerabilities in the Firefox web browser as part of a security partnership with Mozilla. Of these, 14 have been classified as high, seven have ... Read more
-
TheCyberThrone
Cisco Catalyst SD-WAN — Active Exploitation Alert
March 7, 2026What HappenedCisco released security patches on February 25 for five Catalyst SD-WAN vulnerabilities. On March 5, the company updated its advisory to warn that two of them — CVE-2026-2012 ... Read more
-
The Register
Cisco warns of two more SD-WAN bugs under active attack
Just when network admins thought the Cisco SD-WAN patch queue might finally be shrinking, Switchzilla has confirmed miscreants are exploiting more vulnerabilities in its SD-WAN management software. Th ... Read more
-
The Hacker News
Iran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoor
New research from Broadcom's Symantec and Carbon Black Threat Hunter Team has discovered evidence of an Iranian hacking group embedding itself in several U.S. companies' networks, including banks, air ... Read more
-
The Hacker News
Hikvision and Rockwell Automation CVSS 9.8 Flaws Added to CISA KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Hikvision and Rockwell Automation products to its Known Exploited Vulnerabilities (KEV) ... Read more
-
CybersecurityNews
PoC Exploit Released Cisco SD-WAN 0-Day Vulnerability Exploited in the Wild
PoC Exploit Released Cisco SD-WAN 0-Day Vulnerability A public proof-of-concept (PoC) exploit has been released for CVE-2026-20127, a maximum-severity zero-day vulnerability in Cisco Catalyst SD-WAN C ... Read more
-
The Hacker News
Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities
Cisco has disclosed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) have come under active exploitation in the wild. The vulnerabilities in question are liste ... Read more
-
Help Net Security
Cisco warns of SD-WAN Manager exploitation, fixes 48 firewall vulnerabilities
Cisco has confirmed that two Catalyst SD-WAN Manager vulnerabilities (CVE-2026-20128 and CVE-2026-20122) patched in late February 2025 are being exploited by attackers. The exploited vulnerabilities ( ... Read more
-
security.nl
Cisco meldt ook misbruik van andere Catalyst SD-WAN-kwetsbaarheden
Twee kritieke kwetsbaarheden in Cisco Catalyst SD-WAN Manager worden actief misbruikt bij aanvallen, zo waarschuwt Cisco. Updates voor de problemen zijn sinds 25 februari beschikbaar. De Cisco Catalys ... Read more
-
The Hacker News
APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine
Cybersecurity researchers have disclosed details of a new Russian cyber campaign that has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow. "The ... Read more
-
Daily CyberSecurity
Weaponized in the Wild: Public PoC Exploit Disclosed for Critical 10.0 Cisco SD-WAN Flaw
The cybersecurity landscape has shifted into high gear following the public disclosure of a critical authentication bypass in Cisco Catalyst SD-WAN. The vulnerability, tracked as CVE-2026-20127, carri ... Read more
-
The Hacker News
Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1
Google said it identified a "new and powerful" exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1. The exploit kit featured five fu ... Read more
-
The Hacker News
CISA Adds Actively Exploited VMware Aria Operations Flaw CVE-2026-22719 to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw impacting Broadcom VMware Aria Operations to its Known Exploited Vulnerabilities (K ... Read more
-
The Hacker News
Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited
Google on Monday disclosed that a high-severity security flaw impacting an open-source Qualcomm component used in Android devices has been exploited in the wild. The vulnerability in question is CVE-2 ... Read more
-
The Hacker News
New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel
Cybersecurity researchers have disclosed details of a now-patched security flaw in Google Chrome that could have permitted attackers to escalate privileges and gain access to local files on the system ... Read more
-
The Hacker News
APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday
A recently disclosed security flaw patched by Microsoft may have been exploited by the Russia-linked state-sponsored threat actor known as APT28, according to new findings from Akamai. The vulnerabili ... Read more
The following table lists the changes that have been made to the
CVE-2026-20127 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Feb. 26, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Added CWE CWE-287 Added CPE Configuration OR *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions up to (excluding) 20.9.8.2 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.11 up to (excluding) 20.12.5.3 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.13 up to (excluding) 20.15.4.2 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.16 up to (excluding) 20.18.2.1 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.6:*:*:*:*:*:*:* *cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:* versions up to (excluding) 20.9.8.2 *cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:* versions from (including) 20.11 up to (excluding) 20.12.5.3 *cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:* versions from (including) 20.13 up to (excluding) 20.15.4.2 *cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:* versions from (including) 20.16 up to (excluding) 20.18.2.1 *cpe:2.3:a:cisco:sd-wan_vsmart_controller:20.12.6:*:*:*:*:*:*:* Added Reference Type Cisco Systems, Inc.: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk Types: Vendor Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20127 Types: US Government Resource -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Feb. 25, 2026
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20127 -
New CVE Received by [email protected]
Feb. 25, 2026
Action Type Old Value New Value Added Description A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Added CWE CWE-287 Added Reference https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk