CISA Known Exploited Vulnerability
This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.
Remediation Deadline: Feb 27, 2026
Description
Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
EPSS — Exploit Probability
Higher than 85.4% of all CVEs
Required Action
CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems ; https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk ; https://nvd.nist.gov/vuln/detail/CVE-2026-20127
Related Articles (6)
Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities
Cisco warns CVE-2026-20122 and CVE-2026-20128 in Catalyst SD-WAN Manager are actively exploited; patches released across multiple software versions.
Mar 5, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More
Weekly cybersecurity recap covering active exploits, AI abuse, exposed cloud assets, critical CVEs, and evolving threat trends.
Mar 2, 2026
CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems
As a result of the malicious cyber activity and vulnerabilities involving Cisco SD-WAN systems, CISA has outlined requirements for FCEB agencies in Emergency Directive (ED) 26-03 to inventory Cisco SD-WAN systems, update them, and assess compromise.
Feb 25, 2026
CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
Feb 25, 2026
Cisco SD-WAN Zero-Day Under Exploitation for 3 Years
The maximum-severity vulnerability CVE-2026-20127 was exploited by an unknown but sophisticated threat actor who left very little evidence behind.
Feb 26, 2026
Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited
WatchTowr reports seeing exploitation attempts for CVE-2026-20127 from numerous unique IP addresses.
Mar 8, 2026
Risk Assessment
ELEVATEDDetails
- Severity
- High
- EPSS
- 2.6%
- CISA KEV
- Yes
- Ransomware
- Unknown
- Articles
- 6
Timeline
Published
Feb 25, 2026
Added to KEV
Feb 25, 2026
Remediation Due
Feb 27, 2026