CISA Known Exploited Vulnerability
This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.
Remediation Deadline: Feb 27, 2026
Description
Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.
EPSS — Exploit Probability
Higher than 65.6% of all CVEs
Required Action
CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems ; https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sd-wan-priv-E6e8tEdF.html ; https://nvd.nist.gov/vuln/detail/CVE-2022-20775
Related Articles (3)
CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems
As a result of the malicious cyber activity and vulnerabilities involving Cisco SD-WAN systems, CISA has outlined requirements for FCEB agencies in Emergency Directive (ED) 26-03 to inventory Cisco SD-WAN systems, update them, and assess compromise.
Feb 25, 2026
CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
Feb 25, 2026
Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited
WatchTowr reports seeing exploitation attempts for CVE-2026-20127 from numerous unique IP addresses.
Mar 8, 2026
Risk Assessment
ELEVATEDDetails
- Severity
- High
- EPSS
- 0.5%
- CISA KEV
- Yes
- Ransomware
- Unknown
- Articles
- 3
Timeline
Published
Feb 25, 2026
Added to KEV
Feb 25, 2026
Remediation Due
Feb 27, 2026