theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2026-20127

CISA KEV

Published February 25, 2026 · Updated April 3, 2026

high

What This Means

**CVE-2026-20127: Cisco Catalyst SD-WAN Controller Authentication Bypass** An authentication bypass flaw in Cisco Catalyst SD-WAN Controller and Manager allows unauthenticated remote attackers to obtain administrative privileges by sending crafted requests that exploit a broken peering authentication mechanism. Successful exploitation grants attacker access to a high-privileged internal account with NETCONF capabilities, enabling arbitrary manipulation of SD-WAN fabric configurations across your network. **Required Actions:** - Patch Cisco Catalyst SD-WAN Controller and Manager immediately to the latest available version. - Audit access logs for suspicious NETCONF activity and unexpected configuration changes in your SD-WAN deployment. - Restrict network access to SD-WAN management interfaces (vSmart, vManage) using firewall rules and VPN requirements until patched.

Official Description+

Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

Affected Products

VendorProduct
CiscoCatalyst SD-WAN Controller and Manager

Patch Status

Patch by 2026-02-27

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2026-20127.