Overview
CVE-2026-20127 is a vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. Cisco has released software updates that address this vulnerability.
Impact and Risk Assessment
CVSS Score: 10.0 (CVSS v3.1) – Critical
This vulnerability, CVE-2026-20127, has a CVSS base score of 10.0, the highest possible severity rating. The score indicates that the vulnerability is remotely exploitable over the network, requires no authentication or user interaction, and can lead to complete compromise of confidentiality, integrity, and availability of affected systems.
Reasons: Remote exploitation, no authentication required, active exploitation observed, impacts critical network infrastructure.
Successful exploitation allows attackers to gain administrative access to controllers, inject rogue peers into the control plane, intercept or redirect network traffic, and disrupt enterprise network operations.
Vulnerability Details
The flaw occurs because the peering authentication mechanism fails to properly validate incoming authentication requests. This allows crafted requests to be treated as legitimate connections by the SD-WAN management plane. After authentication bypass, attackers gain access to an internal high-privileged non-root account that can interact with NETCONF, which manages network configuration across the SD-WAN environment.
Affected Products and Systems
- Cisco Catalyst SD-WAN Controller (vSmart)
Versions earlier than 20.9, 20.9 prior to 20.9.8.2, 20.11, 20.12.5 prior to 20.12.5.3, 20.12.6 prior to 20.12.6.1, 20.13, 20.14, 20.15 prior to 20.15.4.2, 20.16, and 20.18 prior to 20.18.2.1.
- Cisco Catalyst SD-WAN Manager (vManage)
Versions earlier than 20.9, 20.9 prior to 20.9.8.2, 20.11, 20.12.5 prior to 20.12.5.3, 20.12.6 prior to 20.12.6.1, 20.13, 20.14, 20.15 prior to 20.15.4.2, 20.16, and 20.18.2.1.
This vulnerability affects the following deployment types:
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud – Cisco Managed
- Cisco Hosted SD-WAN Cloud – FedRAMP Environment
Attack Vector and Exploitation Scenario
The vulnerability can be exploited remotely over the network without authentication. The attacker proceeds to exploit exposed management interfaces, particularly services listening on, Port 22 (SSH) and Port 830 (NETCONF). These services are typically accessible on SD-WAN controllers or managers which attackers send crafted requests exploiting the flawed peering authentication mechanism. The attacker then joins the SD-WAN management or control plane as a trusted peer and gains access to a high-privileged internal account. NETCONF is used to modify routing policies, configurations, or device settings.
Exploit Status
- Active exploitation has been observed in the wild. Security researchers and Cisco Talos have linked exploitation activity to a sophisticated threat actor tracked as UAT-8616, targeting high-value organizations and critical infrastructure sectors.
- The vulnerability may have been exploited as a zero-day since at least 2023, indicating long-term adversary access to exposed SD-WAN environments.
- Public proof-of-concept (PoC) exploit code is available at GitHub – zerozenxlabs/CVE-2026-20127—Cisco-SD-WAN-Preauth-RCE · GitHub
Operational Implication
Given the confirmed exploitation activity and availability of PoC tools, organizations running affected Cisco SD-WAN components should prioritize immediate patching, compromise assessment, and monitoring for unauthorized control-plane peers or suspicious management activity.
Mitigation and Recommendations
- Apply Vendor Patches Immediately it is released
- Block external access to SSH (22) and NETCONF (830)
- Restrict access to trusted management networks.
- Network Segmentation
- Enforce Strong Access Controls
- Harden SD-WAN Infrastructure by disabling unnecessary services
Detection and Monitoring Guidance
- Log Monitoring
- Search /var/log/auth.log for the following entry: Accepted publickey for vmanage-admin from [Unknown_IP] port [Port]
- Cross-reference the source IP against your authorized management subnet. Attackers often use the vmanage-admin account to establish persistence.
- Monitor for the specific notification: system-login-change severity-level:minor host-name:”
” system-ip: user-name:”root” - Be alert for logs that are abnormally small (0–2 bytes) or have missing gaps in time. Specifically, check for the truncation of: syslog, wtmp, lastlog cli-history and bash_history.
- Watch for high-volume NETCONF (port 830) or REST API calls from non-orchestration IPs. This is often used to push malicious policies that redirect traffic to attacker-controlled “collector” nodes.
- Hunt for Crafted API requests targeting port 443 or port 830, unauthorized keys added to /home/vmanage-admin/.ssh/authorized_keys, creation of new local users with the netadmin role via API, size 0 bash_history files for the vmanage-admin or root users.
References
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
Known Exploited Vulnerabilities Catalog | CISA
Critical Cisco Catalyst Vulnerability Exploited in the wild (CVE-2026-20127)
Security Advisory: CVE-2026-20127 – Cisco Catalyst SD-WAN Authentication Bypass
CVE-2026-20127: Cisco Catalyst SD-WAN Auth Bypass Exploited In The Wild