Full Report
Cisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges.
Analysis Summary
# Vulnerability: Authentication Bypass and Privilege Escalation in Cisco Catalyst SD-WAN Controller
## CVE Details
- CVE ID: CVE-2026-20127
- CVSS Score: N/A (Not explicitly provided in the text, but exploitation status suggests Critical severity)
- CWE: Authentication Bypass (Implied)
## Affected Systems
- Products: Cisco Catalyst SD-WAN Controller (formerly vSmart)
- Versions: All vulnerable versions (Specific versions not listed, refer to Cisco Advisory)
- Configurations: N/A (Affects an unauthenticated path)
## Vulnerability Description
The vulnerability exists in the Cisco Catalyst SD-WAN Controller which allows an unauthenticated, remote attacker to bypass the authentication mechanism. This is achieved by sending a crafted request to an affected system, which can result in the attacker obtaining administrative privileges as an internal, high-privileged, non-root user account on the Controller.
## Exploitation
- Status: **Exploited in the wild** (Actively tracked by Cisco Talos, linked to threat actor UAT-8616; exploitation evidence dates back to 2023)
- Complexity: Low (Due to unauthenticated remote access leading to administrative privileges)
- Attack Vector: Network
## Impact
- Confidentiality: High (Administrative privileges allow access to sensitive configuration/data)
- Integrity: High (Administrative privileges allow configuration changes)
- Availability: High (Administrative privileges allow system disruption)
## Remediation
### Patches
- Specific patch versions are not listed in the summary text. Customers **must** refer to the official Cisco Security Advisory for CVE-2026-20127 for remediation guidance.
### Workarounds
- No explicit workarounds are detailed, but the investigation suggests defensive actions related to monitoring control connection peering events and reviewing system integrity. Customers are strongly advised to apply security updates immediately.
## Detection
- **Indicators of Compromise (IOCs):**
- Initial Access: Critical focus on control connection peering events (especially vManage types) in Catalyst SD-WAN logs that are unexpected in timing, source IP, or peer type.
- Post-Compromise Activity (UAT-8616):
- Creation/usage/deletion of malicious user accounts (missing `bash_history` or `cli-history`).
- Interactive root sessions (unaccounted SSH keys in `/home/root/.ssh/authorized_keys` with `PermitRootLogin yes`).
- Presence of unauthorized SSH keys for the `vmanage-admin` account.
- Abnormally small, absent, or size 0/1/2 byte logs, indicating log/history clearing (`syslog`, `wtmp`, `lastlog`, `cli-history`, `bash_history`).
- Evidence of unexpected software downgrades/upgrades (look for messages like "Waiting for upgrade confirmation from user... Reverting to previous software version").
- Evidence of exploitation of **CVE-2022-20775** using path traversal strings (e.g., `../../` or `/\n&../\n&../`).
- **Detection Methods and Tools:**
- Manual validation of all control connection peering events using the provided checklist (IP validation, timestamp correlation, peer type validation).
- Reviewing system logs for signs of privilege escalation (including monitoring for root logins and SSH file activity).
- Snort coverage: Rules **65938** and **65958** are released for threat coverage.
## References
- Vendor Advisory: hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
- Intelligence Partner Hunt Guide: hxxps://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf
- Additional Advisory Links:
- hxxps://www.cyber.gc.ca/en/alerts-advisories/al26-004-critical-vulnerability-affecting-cisco-catalyst-sd-wan-cve-2026-20127
- hxxps://www.ncsc.gov.uk/news/exploitation-cisco-catalyst-sd-wans
- Cisco Hardening Guide (General Recommendation): (Link not provided in summary text, check vendor site)