Full Report
Multiple vulnerabilities have been discovered in Cisco Catalyst SD-WAN products, the most severe of which could allow for authentication bypass. Cisco Catalyst SD-WAN (formerly Viptela) is a secure, cloud-delivered software-defined WAN architecture that optimizes application performance by intelligently routing traffic over any combination of transport links (MPLS, broadband, LTE). Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Cisco Catalyst SD-WAN Allowing Authentication Bypass and Privilege Escalation
## CVE Details
- CVE ID: CVE-2026-20127, CVE-2026-20129, CVE-2026-20126 (and others implicitly)
- CVSS Score: Not explicitly provided, but CVE-2026-20127 severity is implied as critical based on impact.
- CWE: Not explicitly provided for all CVEs, but relates to *Improper Authentication*.
## Affected Systems
- Products:
- Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage)
- Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart)
- Versions:
- **SD-WAN Manager:**
- 20.9 versions prior to 20.9.8.2 (Estimated release Feb 27, 2026)
- 20.12.5 versions prior to 20.12.5.3
- 20.12.6 versions prior to 20.12.6.1
- 20.15 versions prior to 20.15.4.2
- 20.18 versions prior to 20.18.2.1
- 20.11, 20.13, 20.14, 20.16 are EOL.
- **SD-WAN (Controller/General):**
- 20.9 versions prior to 20.9.8.2 (Estimated release Feb 27, 2026)
- 20.12.5 versions prior to 20.12.5.3
- 20.12.6 versions prior to 20.12.6.1
- 20.15 versions prior to 20.15.4.2
- 20.18 versions prior to 20.18.2.1
- 20.11, 20.13, 20.14, 20.16 are EOL.
- Configurations: Applies to systems running the listed vulnerable versions.
## Vulnerability Description
Multiple flaws exist, with the most severe allowing **unauthenticated, remote attackers** to bypass authentication and gain administrative privileges.
1. **CVE-2026-20127 (Authentication Bypass/Privilege Escalation):** A flaw in the peering authentication mechanism of the SD-WAN Controller and Manager allows an unauthenticated, remote attacker to send crafted requests to bypass authentication and log in as an internal, high-privileged, non-root user. Exploitation leads to access to NETCONF, enabling the attacker to manipulate the SD-WAN fabric configuration. (MITRE Tactic: Initial Access, Technique: Exploit Public-Facing Application).
2. **CVE-2026-20129 (API Authentication Bypass):** A vulnerability exists in the API user authentication of SD-WAN Manager. An unauthenticated, remote attacker can send crafted requests to the API to gain access as a user with the `netadmin` role, allowing command execution with those privileges.
3. **CVE-2026-20126 (Local Privilege Escalation):** An authenticated, low-privilege local attacker can exploit an insufficient user authentication mechanism in the REST API to gain root privileges on the underlying operating system.
## Exploitation
- Status: **Exploited in the wild**. CISA added CVE-2026-20127 and CVE-2022-20775 (the latter is mentioned in the context of privilege escalation following initial access) to its KEV Catalog on Feb. 25, 2026.
- Complexity: At least one key vulnerability (CVE-2026-20127) appears to be **Low** complexity, allowing unauthenticated remote exploitation for initial access.
- Attack Vector: **Network** (Remote for initial access flaws) and **Local** (for privilege escalation flaws).
## Impact
- Confidentiality: Potential access to sensitive information (based on other unlisted flaws and subsequent access).
- Integrity: **High** (Attacker can manipulate network configuration via NETCONF or execute commands as `netadmin`).
- Availability: Potential impact via configuration manipulation or denial of service (not explicitly detailed, but possible with administrative access).
## Remediation
### Patches
Cisco is expected to release patches around February 27, 2026, for the most current branches. Customers must check the official Cisco advisory for specific fixed versions.
**Target Fixed Versions (as indicated by report):**
* SD-WAN Manager/SD-WAN: 20.9.8.2
* SD-WAN Manager/SD-WAN: 20.12.5.3
* SD-WAN Manager/SD-WAN: 20.12.6.1
* SD-WAN Manager/SD-WAN: 20.15.4.2
* SD-WAN Manager/SD-WAN: 20.18.2.1
### Workarounds
No specific technical workarounds were detailed in the provided summary text, but immediate patching is prioritized due to confirmed exploitation. Limiting network access to the management/controller interfaces should be a standard immediate defense if applicable.
## Detection
- Indicators of Compromise: Use of the newly discovered authentication bypass vectors targeting the PEERING or REST API surfaces by unauthenticated remote sources.
- Detection methods and tools: Monitoring for unauthenticated API requests or configuration changes initiated via NETCONF where no expected administrator session exists. Utilize CISA KEV indicators if available.
## References
- Vendor Advisories:
- hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
- hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
- Related CVE Information:
- hxxps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20127
- hxxps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20129