A critical authentication bypass vulnerability in Cisco Catalyst SD-WAN systems has been actively exploited since 2023, prompting an emergency directive from the US Cybersecurity and Infrastructure Security Agency (CISA).
Tracked as CVE-2026-20127 and rated 10.0 under the Common Vulnerability Scoring System (CVSS), the identified flaw allows a remote, unauthenticated attacker to gain administrative-level access to unpatched systems. Cisco disclosed the issue in a security advisory on Feb. 25, confirming limited in-the-wild exploitation.
The vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager (formerly known as vSmart and vManage) across on-prem, Cisco-hosted cloud, Cisco-managed, and FedRAMP environments.
According to Cisco, the issue stems from a failure in the systems’ peering authentication mechanism, which validates trusted communication between SD-WAN components.
An attacker can send crafted requests to circumvent authentication and log in as a high-privileged, non-root internal user. From there, access to Network Configuration Protocol (NETCONF) services could allow manipulation of the SD-WAN fabric’s configuration.
Federal Agencies Given 24 Hours To Patch
CISA added CVE-2026-20127 and CVE-2022-20775 (a separate privilege-escalation flaw) to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday and issued Emergency Directive 26-03.
Federal Civilian Executive Branch agencies must apply patches within 24 hours and complete device inventories and mitigation reporting by March 26, 2026.
According to Cisco, threat activity linked to a cluster tracked as UAT-8616 involved introducing rogue peers into the SD-WAN management plane.
Investigators found attackers downgraded some software versions in order to exploit CVE-2022-20775, escalated privileges to root, and only after restored original versions.
“CISA remains unwavering in its commitment to protect our federal networks from malicious cyber threat actors despite the multi-week government shutdown of the Department of Homeland Security,” said Madhu Gottumukkala, Acting Director at CISA. “The ease with which these vulnerabilities can be exploited demands immediate action from all federal agencies.”
Cisco has released software updates and stated there are no workarounds. The company advised organizations to audit authentication logs, restrict internet exposure of SD-WAN controllers, and validate unexpected peering events.
