Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20127: Cisco Catalyst SD-WAN Auth Bypass Exploited In The Wild
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation
CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation
Jun 12, 2026
SOCRadar® Cyber Intelligence Inc. | Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | June 2026 Patch Tuesday: 206 Vulnerabilities, Three Zero-Days Including HTTP/2 Bomb Flaw (CVE-2026-49160)
June 2026 Patch Tuesday: 206 Vulnerabilities, Three Zero-Days Including HTTP/2 Bomb Flaw (CVE-2026-49160)
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | SAP Security Patch Day June 2026: Critical CVE-2026-44748 SAML Flaw Could Allow Full Authentication Bypass
SAP Security Patch Day June 2026: Critical CVE-2026-44748 SAML Flaw Could Allow Full Authentication Bypass
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | What Do You Need to Know About Claude Fable 5?
What Do You Need to Know About Claude Fable 5?
Jun 10, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Feb 26, 2026
5 Mins Read
Moon

CVE-2026-20127: Cisco Catalyst SD-WAN Auth Bypass Exploited In The Wild

Cisco recently disclosed a zero-day, tracked as CVE-2026-20127, warning that the issue is already being actively exploited in real-world environments. The vulnerability affects Cisco Catalyst SD-WAN control and management components and can allow an unauthenticated attacker to bypass authentication and gain high-privilege access.

With government-driven response timelines circulating, this is a patch-now event for any organization running exposed SD-WAN infrastructure. This post breaks down what CVE-2026-20127 is, what is affected, how exploitation works at a high level, what we know about threat activity, and what defenders should do immediately.

What Is CVE-2026-20127?

CVE-2026-20127 (CVSS 10.0) is an improper authentication vulnerability that results in an authentication bypass within the peering authentication mechanism used by Cisco Catalyst SD-WAN. In practical terms, the flaw allows an attacker to send crafted requests that bypass expected trust checks between SD-WAN components.

The immediate outcome is not “instant root.” Instead, successful exploitation can grant access as an internal, high-privileged, non-root account, which is still enough to create serious operational impact in SD-WAN environments.

Details of CVE-2026-20127 (SOCRadar Vulnerability Intelligence)

Details of CVE-2026-20127 (SOCRadar Vulnerability Intelligence)

Which Cisco Catalyst SD-WAN Components Are Affected?

  • Cisco Catalyst SD-WAN Controller (formerly vSmart)
  • Cisco Catalyst SD-WAN Manager (formerly vManage)

These components sit at the center of how SD-WAN fabrics authenticate peers, distribute policy, and manage control-plane behavior. That role matters because compromise here can affect more than a single device. It can affect how the fabric routes, trusts, and connects.

How Does Exploitation Work In Real Attacks?

At a high level, exploitation follows a straightforward sequence:

  1. An unauthenticated attacker sends crafted requests that bypass peering authentication.
  2. The attacker can then authenticate as an internal privileged account.
  3. With that access, the attacker can use NETCONF to manipulate SD-WAN fabric configuration, potentially impacting peers, devices, and path outcomes across the environment.

This is the kind of vulnerability where “management-plane reachability” becomes the real accelerant. If your SD-WAN control or management interfaces are reachable from the internet, attackers can attempt exploitation directly, without needing stolen credentials first.

Is There Confirmed Exploitation In The Wild?

Yes. CVE-2026-20127 is being reported as actively exploited in the wild as of February 25, 2026. Cisco Talos has also attributed observed exploitation and post-compromise activity to a tracked actor labeled “UAT-8616,” assessed with high confidence as highly sophisticated, with evidence suggesting activity dating back to at least 2023.

One operational detail defenders should not ignore is the reported post-auth-bypass tradecraft: downgrade software, exploit an older issue (CVE-2022-20775), then restore the version. That pattern suggests an attempt to gain or maintain root-level control while reducing obvious indicators tied to a permanently downgraded system.

Details of CVE-2022-20775 (SOCRadar Vulnerability Intelligence)

Details of CVE-2022-20775 (SOCRadar Vulnerability Intelligence)

Separately, federal response activity has been widely referenced, including CISA Emergency Directive 26-03 and a patch deadline echoed in FedRAMP communications of 5:00 PM ET on February 27, 2026. Even for non-federal environments, that timeline is a strong signal of urgency.

Are Public PoCs Available?

As of coverage through February 25 to 26, 2026, reporting indicates no credible public Proof-of-Concept (PoC) exploit had been identified. That said, the absence of a public PoC does not meaningfully reduce risk here because exploitation is already confirmed and appears to be conducted by a capable actor.

In other words, defenders should treat this as weaponized, even if GitHub is not yet full of one-click tooling.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

When critical vulnerabilities move from disclosure to active exploitation, speed matters. SOCRadar Cyber Threat Intelligence tracks real-world exploitation activity, threat actor discussions, and PoC releases so you know when a flaw becomes weaponized. At the same time, Attack Surface Management (ASM) continuously monitors your internet-facing assets to identify exposed systems and vulnerable services attackers can target.

What Should Defenders Do Right Now?

Patch or upgrade as the primary fix: 

Multiple incident-response writeups based on Cisco guidance emphasize that there is no true workaround that fully remediates CVE-2026-20127 without upgrading. Organizations should move to a fixed release for their train. Commonly cited upgrade targets include:

  • 20.11 → 20.12.6.1+
  • 20.12.5 → 20.12.5.3+
  • 20.12.6 → 20.12.6.1+
  • 20.13 / 20.14 / 20.15 → 20.15.4.2+
  • 20.16 / 20.18 → 20.18.2.1+
  • 20.9 → 20.9.8.2+ (widely reported as expected February 27, 2026)

Reduce exposure while you race the upgrade: 

If you cannot patch immediately, prioritize actions that cut off the unauthenticated attack path:

  • Remove internet exposure of SD-WAN management and control-plane interfaces
  • Restrict reachability to known administrative networks and known peer IPs using segmentation, ACLs, and firewall policy

Hunt for compromise using behavior, not just signatures: 

Talos’ detection guidance highlights several practical areas to review:

  • Unexpected control connection peering events
  • Unauthorized peers added or dropped
  • Suspicious downgrade then upgrade sequences and related reboot patterns
  • Artifacts consistent with attempts to chain behavior associated with CVE-2022-20775, including path traversal-style strings such as /../../

Preserve evidence before making disruptive changes: 

If you suspect compromise, collect relevant logs and forensic artifacts before you upgrade or reboot systems, where operationally feasible. That evidence can be essential for scoping what changed inside the SD-WAN fabric and identifying whether attacker access persisted beyond the initial bypass.