Critical vulnerability affecting Cisco Catalyst SD-WAN - CVE-2026-20127

Overview

Cisco has released a security advisory to address a critical vulnerability in Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Catalyst SD-WAN Manager (formerly SD-WAN vManage). Malicious cyber threat actors are targeting SD-WANs of organisations, globally. SD-WAN (software-defined wide area network) is a type of networking technology that uses software-defined networking (SDN) principles to manage and optimize wide area network (WAN) performance. It gives organizations the ability to securely connect users, applications and data across multiple locations. Plus, it improves performance, reliability and scalability. SD-WAN also simplifies WAN management by providing centralized control and visibility over the entire network. For this reason, SD-WAN is considered a core component of a secure access service edge (SASE) architecture, which unifies network connectivity with network security.

Vulnerability Summary

TLP: Green
CVSS Score: 10.0
CVSSv3.1: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE: CVE-2026-20127
Severity: Critical

Detailed Analysis

A recently disclosed vulnerability affecting Cisco Catalyst SD-WAN controllers, tracked as CVE-2026-20127, has drawn the attention of the global cybersecurity community due to its potential impact on enterprise network infrastructure. The vulnerability stems from a flaw in the SD-WAN controller's peering authentication mechanism, where the authentication process responsible for validating peer devices does not function correctly. Because of this weakness, a threat actor can send specially crafted requests to an affected system and bypass normal authentication controls. If successfully exploited, the attacker can log in to the SD-WAN controller as a high-privileged internal user account, though not initially with root privileges.

However, this level of access still allows interaction with NETCONF, a network configuration protocol used to manage SD-WAN infrastructure. Through this access, attackers can manipulate network configurations across the SD-WAN fabric, potentially altering routing behaviour, modifying network policies, or introducing malicious changes that could disrupt connectivity and expose sensitive network traffic.

The risk this vulnerability presents to organisations is significant because SD-WAN controllers often act as the central management point for enterprise networks connecting branch offices, cloud services, and data centres. If a malicious actor gains access to this layer of the network, they could manipulate routing and segmentation controls, redirect or intercept traffic, deploy rogue devices within the SD-WAN fabric, and maintain persistent access across the organisation's network infrastructure.

In observed activity associated with exploitation of this vulnerability, attackers have demonstrated the ability to add a rogue peer device after gaining initial access, manipulate SD-WAN configurations, escalate privileges to eventually obtain root access, and establish long-term persistence within the environment. Persistence at the network control layer is particularly concerning because it enables attackers to remain embedded within infrastructure even after other compromised systems have been remediated.

At this time, Cisco Talos has not definitively attributed exploitation of this vulnerability to a specific threat group or nation-state actor. However, threat intelligence reporting has referenced a China-linked actor known as UAT-9686 that has previously targeted network infrastructure technologies. While there is currently no confirmed attribution connecting this group to exploitation of the vulnerability, the targeting of SD-WAN infrastructure aligns with broader trends where advanced threat actors increasingly focus on network edge and management systems to gain strategic access into enterprise environments.

In response to the emerging threat, several international cybersecurity agencies have collaborated to publish guidance aimed at helping organisations detect and respond to malicious activity related to this vulnerability. These agencies include the Australian Signal Directorate (ASD), United States National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Canadian Centre for Cyber Security, and National Cyber Security Centre (UK). Together, they have released a Cisco SD-WAN Threat Hunt Guide that provides defenders with investigative insights and technical indicators that can assist in identifying suspicious activity within affected environments.

Affected Versions

The shortcoming affects the following deployment types, irrespective of the device configuration:

• On-Prem Deployment

• Cisco Hosted SD-WAN Cloud

• Cisco Hosted SD-WAN Cloud - Cisco Managed

• Cisco Hosted SD-WAN Cloud - FedRAMP Environment

Mitigation Strategies

At the time of the advisory's publication, Cisco does not recommend any workaround strategies for remediation. Organisations running affected instances of Cisco Catalyst SD-WAN Controller or Cisco Catalyst SD-WAN Manager should prioritise upgrading to a fixed version to remediate CVE-2026-20127.

Cisco's Catalyst SD-WAN Hardening Guide (https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide) should be reviewed in full and includes advice on the following:

• Network perimeter controls: Ensure control components are behind a firewall, isolate VPN 512 interfaces, and use IP blocks for manually provisioned edge IPs.

• SD-WAN Manager access: Replace the self-signed certificate for the web user interface.

• Control and data plane security: Use pairwise keying.

• Session timeout: Limit to the shortest period possible.

• Logging: Forward to a remote syslog server.

If this article sparked new ideas or sharpened your perspective, don't stop here. We've built a community designed for serious learners and professionals who want more than surface-level knowledge.

Learn more about how BridgeLynk partners with you to improve organisational security maturity and risk reduction.