CVE-2026-20127: Cisco Catalyst SD-WAN Controller/Manager Zero-Day Authentication Bypass Vulnerability Exploited in the Wild
Exploitation of a maximum severity authentication bypass zero-day vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager has been reported. Immediate patching is recommended to thwart ongoing attacks.
CVE-2026-20127: Cisco Catalyst SD-WAN Controller/Manager Zero-Day Authentication Bypass Vulnerability Exploited in the Wild
Exploitation of a maximum severity authentication bypass zero-day vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager has been reported. Immediate patching is recommended to thwart ongoing attacks.
Key takeaways:
CVE-2026-20127 is an Authentication Bypass Vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager. Patches have been released and no workarounds are currently available.
Exploitation in the wild has been observed for this zero-day by a threat actor tracked as UAT-8616.
Multiple government agencies have issued alerts on this active exploitation and multiple publications include threat hunting guidance for devices that may have been compromised.
Background
On February 25, Cisco released a security advisory (cisco-sa-sdwan-rpa-EHchtZk) to address a maximum severity severity authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly known as SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage.
CVE
Description
CVSSv3
CVE-2026-20127
Cisco Catalyst SD-WAN Controller/Manager Authentication Bypass Vulnerability
10.0
Analysis
CVE-2026-20127 is a critical severity authentication bypass vulnerability in Cisco’s Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted requests to an affected system, allowing them to log into an affected device as a high-privileged user. Using this access, the attacker could modify network configurations for the SD-WAN fabric. According to the advisory, this vulnerability has been exploited in the wild in limited attacks. The advisory further clarifies that this flaw affects vulnerable versions regardless of the device’s configuration and no workaround steps are available, however temporary mitigation guidance is available in the security advisory.
CISA releases an Emergency Directive for CVE-2026-20127
Coinciding with the release of the security advisory for CVE-2026-20127, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released emergency directive (ED) 26-03 titled Mitigate Vulnerabilities in Cisco SD-WAN Systems. The ED directs Federal Civilian Executive Branch (FCEB) agencies to take immediate action to identify any Cisco Software-Defined Wide-Area Networking (SD-WAN) systems. The ED notes that CVE-2026-20127 and CVE-2022-20775, a path traversal vulnerability affecting SD-WAN devices, pose imminent risk to federal networks. While the ED applies to FCEB agencies, any users who have not yet mitigated their SD-WAN devices for either of these CVEs should take immediate action as threat actors have been observed exploiting these vulnerabilities.
As ongoing exploitation has been observed, Cisco’s security advisory does include indicators of compromise which can aid defenders in identifying if their device has been compromised. Nation state-sponsored actors, including Salt Typhoon and Volt Typhoon have been known for past exploitation of Cisco devices, so it’s imperative that immediate action is taken to remediate these vulnerabilities.
In addition to CISA, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) also released an alert warning of exploitation of CVE-2026-20127. The ACSC was credited in the Cisco security advisory for reporting the flaw to Cisco and the ACSC alert also includes a threat hunting guide co-authored by multiple agencies including CISA, the National Security Agency (NSA), the Canadian Centre for Cyber Security (Cyber Centre), the New Zealand National Cyber Security Centre (NCSC-NZ) and the United Kingdom National Cyber Security Centre (NCSC-UK).
Exploitation attributed to UAT-8616
While the alerts from the government agencies and Cisco’s security advisory did not provide attribution for the attacks targeting CVE-2026-20127, Cisco’s Talos threat intelligence team released a blog attributing the threat activity to UAT-8616. Cisco Talos notes that UAT-8616 is assessed “with high confidence” as “a highly sophisticated cyber threat actor.” The blog by Cisco Talos includes guidance for investigating compromised devices as well as details the exploitation activity that they have observed.
Proof of concept
At the time this blog was published on February 25, no public proof-of-concept (PoC) exploit had been identified. We anticipate that if a PoC is released, additional attackers will begin to leverage the exploit to conduct mass scanning and exploitation against vulnerable devices.
Solution
Cisco has released patches for affected versions of Cisco Catalyst SD-WAN devices as outlined in the table below:
Affected Version
Fixed Version
Versions prior to 20.9
Migrate to a fixed release
20.9
20.9.8.2 (Estimated to be released on February 27)
20.11
20.12.6.1
20.12.5
20.12.5.3
20.12.6
20.12.6.1
20.13
20.15.4.2
20.14
20.15.4.2
20.15
20.15.4.2
20.16
20.18.2.1
20.18
20.18.2.1
The advisory notes that versions 20.11, 20.13, 20.14, 20.16 and versions prior to 20.9 have reached their end of maintenance and customers should upgrade to a supported release.
Identifying affected systems
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-20127 and CVE-2022-20775 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Cisco Catalyst SD-WAN devices by using the following query: Document Title contains Cisco Catalyst SD-WAN
Get more information
Join on Tenable Connect for further discussions on the latest cyber threats.
Learn more about , the Exposure Management Platform for the modern attack surface.
*** This is a Security Bloggers Network syndicated blog from Tenable Blog authored by Scott Caveza. Read the original post at: https://www.tenable.com/blog/cve-2026-20127-cisco-catalyst-sd-wan-controllermanager-zero-day-authentication-bypass
About Author
