Full Report
A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of malicious activity that dates back to 2023. The vulnerability, tracked as CVE-2026-20127 (CVSS score: 10.0), allows an unauthenticated remote attacker to bypass authentication and obtain
Analysis Summary
# Vulnerability: Cisco SD-WAN Authentication Bypass and Administrative Access
## CVE Details
- **CVE ID:** CVE-2026-20127
- **CVSS Score:** 10.0 (Critical)
- **CWE:** Improper Authentication (Peering authentication mechanism failure)
## Affected Systems
- **Products:**
- Cisco Catalyst SD-WAN Controller (formerly vSmart)
- Cisco Catalyst SD-WAN Manager (formerly vManage)
- **Versions:**
- Versions prior to 20.9 (Migration required)
- Versions 20.9.x
- Versions 20.11.x, 20.12.x
- Versions 20.13.x, 20.14.x, 20.15.x
- Versions 20.16.x, 20.18.x
- **Configurations:** All deployment types are affected, including On-Prem and all Cisco Hosted SD-WAN Cloud environments (Standard, Managed, and FedRAMP), regardless of specific device configuration.
## Vulnerability Description
The vulnerability stems from a failure in the peering authentication mechanism within Cisco Catalyst SD-WAN systems. An unauthenticated remote attacker can send a specially crafted request to the system to bypass authentication. This allows the attacker to gain unauthorized access as a high-privileged, non-root internal user. Once authenticated, the attacker can access NETCONF (Network Configuration Protocol) to manipulate the SD-WAN fabric configuration or create a "rogue peer" that appears as a legitimate component of the management or control plane.
## Exploitation
- **Status:** Exploited in the wild (Zero-day activity documented since 2023 by threat actor UAT-8616).
- **Complexity:** Low (though post-compromise activity is described as "highly sophisticated").
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Access to network configurations and administrative credentials).
- **Integrity:** High (Ability to manipulate SD-WAN fabric and network management plane).
- **Availability:** High (Potential for network-wide disruption via configuration changes).
## Remediation
### Patches
Cisco has released or scheduled the following fixed releases:
- **Major Release 20.9:** Fixed in 20.9.8.2 (Est. Feb 27, 2026)
- **Major Release 20.12:** Fixed in 20.12.5.3 / 20.12.6.1
- **Major Release 20.15:** Fixed in 20.15.4.2
- **Major Release 20.18:** Fixed in 20.18.2.1
### Workarounds
No specific configuration workarounds were provided in the article; immediate patching is the primary recommendation. Systems exposed to the internet are at highest risk.
## Detection
- **Log Analysis:** Audit `/var/log/auth.log` for entries stating `"Accepted publickey for vmanage-admin"`.
- **IP Verification:** Compare IP addresses in the `auth.log` against authorized System IPs listed in the Catalyst SD-WAN Manager WebUI (`WebUI > Devices > System IP`).
- **Indicator of Compromise (IoC):** Look for unauthorized SSH authorized keys for root access, modified start-up scripts, or evidence of log purging/history clearing in `/var/log`.
- **Behavioral:** Monitor for unexpected "rogue peers" joining the SD-WAN control plane or unauthorized NETCONF traffic on port 830.
## References
- Cisco Security Advisory: hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
- Cisco Talos Blog (UAT-8616): hxxps[://]blog[.]talosintelligence[.]com/uat-8616-sd-wan/
- News Source: hxxps[://]thehackernews[.]com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127[.]html