OVERVIEW
Cisco has disclosed a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). This vulnerability is tracked as CVE-2026-20127 and carries the maximum CVSS 3.1 score of 10.0 CRITICAL.
Cisco PSIRT has confirmed limited active exploitation in the wild, and CISA has added this CVE to its Known Exploited Vulnerabilities (KEV) catalog under Emergency Directive ED-26-03, with a remediation deadline of February 27, 2026.
VULNERABILITY DETAILS
| Detail | Value |
| CVE | CVE-2026-20127 |
| Advisory ID | cisco-sa-sdwan-rpa-EHchtZk |
| CVSS 3.1 | 10.0 — AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-287 (Improper Authentication) |
| Published | 25 February 2026 |
| Reporter | Australian Signals Directorate (ASD ACSC) |
TECHNICAL ANALYSIS
The vulnerability exists in the peering authentication mechanism of affected SD-WAN control components. The authentication mechanism is not functioning properly, which allows an unauthenticated, remote attacker to bypass authentication entirely.
Attack Flow:
- Attacker sends crafted requests to an internet-exposed SD-WAN Controller or Manager.
- The broken peering authentication allows the attacker to authenticate as
vmanage-admin— an internal, high-privileged (non-root) account. - Using this account, the attacker gains access to NETCONF (ports 22 and 830).
- Via NETCONF, the attacker can manipulate the entire SD-WAN fabric network configuration — including routing, policies, tunnels, and device templates.
Impact: Complete compromise of SD-WAN infrastructure. The attacker can redirect traffic, intercept data, disrupt connectivity, or pivot into connected networks. The Changed scope (S:C) in the CVSS vector indicates impact beyond the vulnerable component itself.
AFFECTED PRODUCTS
All deployment types are affected:
- On-Premises Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud — Cisco Managed
- Cisco Hosted SD-WAN Cloud — FedRAMP Environment
Affected Software Versions:
| Release Train | Fixed Version |
| Earlier than 20.9 | Migrate to a fixed release |
| 20.9 | 20.9.8.2 |
| 20.11 (EoSM) | 20.12.6.1 |
| 20.12 | 20.12.5.3 or 20.12.6.1 |
| 20.13 (EoSM) | 20.15.4.2 |
| 20.14 (EoSM) | 20.15.4.2 |
| 20.15 | 20.15.4.2 |
| 20.16 (EoSM) | 20.18.2.1 |
| 20.18 | 20.18.2.1 |
INDICATORS OF COMPROMISE (IOC)
Check /var/log/auth.log on all SD-WAN Controllers and Managers for unauthorized access:
| 2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port ssh2: RSA SHA256: |
Validation Checklist:
- Compare the source IP against your documented controller System IPs (WebUI > Devices > System IP).
- Verify timestamps against known maintenance windows.
- Review peer type in control-connection-state-change logs — focus on
peer-type:vmanageevents. - Correlate events from the same source IP to identify reconnaissance patterns.
- Cross-reference with change management records and user activity logs.
Snort Detection Rules: 65938, 65958
IMMEDIATE MITIGATION (IF PATCHING IS NOT YET POSSIBLE)
There are no workarounds. However, Cisco recommends the following mitigations:
- Restrict port 22 and port 830 via ACLs, security groups, or firewall rules to allow only known controller IPs.
- Place SD-WAN control components behind filtering devices (firewalls).
- Disable HTTP for the SD-WAN Manager admin portal.
- Disable unnecessary network services (HTTP, FTP).
- Change default administrator passwords and enforce least-privilege accounts.
- Enable SSL/TLS with proper certificates.
- Send logs to an external SIEM for monitoring and forensic capability.
RECOMMENDED ACTIONS
- PATCH IMMEDIATELY — Upgrade to a fixed release per the table above.
- HUNT — Review
auth.logand peering event logs on ALL control components for signs of compromise. - ISOLATE — If compromise is suspected, collect admin-tech output (
request admin-tech) and open a Cisco TAC case. - HARDEN — Follow the Cisco Catalyst SD-WAN Hardening Guide post-patch.
REFERENCES
- Cisco Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20127
- CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20127
- SD-WAN Hardening Guide: https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide
This is a maximum-severity vulnerability with confirmed exploitation. If your organization runs Cisco Catalyst SD-WAN in any deployment model, treat this as a P0 incident and act today.
Need help with assessment or remediation? Contact info@secstrike.ai