A critical vulnerability in Cisco’s Catalyst SD-WAN products has come to light, posing significant security risks. Identified as CVE-2026-20127, this flaw allows attackers to bypass authentication and gain root access, impacting core networking functions.
Details of the Cisco Vulnerability
This zero-day vulnerability affects the peering authentication of Cisco Catalyst SD-WAN Controller and Manager, previously known as vSmart and vManage. By sending specially crafted requests, attackers can bypass security checks to log in as a high-privileged user, enabling potential manipulation of the SD-WAN network configuration.
Such access allows for the addition of unauthorized peers and changes to routing, carrying a critical CVSS v3.1 base score of 10.0. The network-based attack requires low complexity, no prior access, and no user interaction, heightening its severity.
Impact and Exploitation Timeline
The vulnerability affects both on-premises and Cisco-hosted SD-WAN Cloud environments, including FedRAMP configurations. While Cisco released patches on February 25, 2026, no workarounds are currently available. Exploitation of this vulnerability has been active since 2023, with Cisco Talos identifying the campaign as UAT-8616, targeting high-value sectors like critical infrastructure.
Attackers have been known to downgrade software to exploit additional vulnerabilities such as CVE-2022-20775, then revert to original versions to avoid detection. This strategy highlights sophisticated tactics used to compromise internet-exposed management and control planes.
Mitigation and Security Recommendations
Organizations are urged to apply the latest patches immediately and conduct thorough audits of their SD-WAN systems. This includes inventorying exposed ports, reviewing NETCONF logs, and monitoring for unauthorized peer activity.
CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog, requiring swift action from FCEB agencies. Global security bodies have also issued alerts, emphasizing the urgency of addressing this threat.
To mitigate risks, enabling logging for authentication failures and regularly resetting compromised configurations is recommended. Engaging with Cisco’s Technical Assistance Center for further support is advised.
As attackers like UAT-8616 continue to seek persistent access through edge devices, implementing zero-trust security measures becomes increasingly critical for safeguarding network infrastructure.
