Emergency Patch: CVE-2026-20127 in Cisco Catalyst SD-WAN Actively Exploited Against Critical Infrastructure
On February 25th, 2026, a new critical severity CVE affecting Cisco Catalyst SD-WAN was both published and added to CISA’s Know Exploited Vulnerabilities (KEV) list. CVE-2026-20127 (CVSS 10) allows an unauthenticated remote attacker to gain administrative access on affected devices. The flaw is classified as an authentication bypass [CWE-287] caused by a faulty peering authentication mechanism. CVE-2022-20775 (CVSS 7.8), released in 2022, was also added to CISA KEV on February 25th due to its exploitation in the same ongoing campaigns. Global security teams must patch with urgency.
Greenbone’s OPENVAS ENTERPRISE FEED includes remote banner checks for both Cisco Catalyst SD-WAN Controller [1] and Cisco Catalyst SD-WAN Manager [2], allowing organizations to detect affected devices in their networks. Defenders can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.
Understanding the Risk Landscape for CVE-2026-20127 and Cisco Catalyst SD-WAN
The Australian Cyber Security Centre (ACSC) is credited with reporting CVE-2026-20127 and its active exploitation, which is believed to have begun in 2023. A full root-cause analysis has been published, but no proof-of-concept (PoC) exploits are publicly available and no ransomware attacks have yet been reported. Numerous national CERT advisories have been issued globally [1][2][3][4][5][6][7][8][9][10][11][12][13].
CVE-2026-20127 was added to CISA’s KEV list immediately upon publication along with an Emergency Directive (ED 26-03) requiring U.S. federal civilian agencies to complete a breach assessment, forensic data collection, and mitigation within two days. High-value and critical infrastructure sectors have reportedly been targeted, but specific victims have not been identified.
Along with the actively exploited CVEs described above, Cisco issued a second security alert the same day, disclosing five additional vulnerabilities that also affect Catalyst SD-WAN. The most severe of these flaws, CVE-2026-20129 (CVSS 9.8), allows unauthenticated, remote attackers to gain access as a user with the netadmin role. Another, CVE-2026-20126 (CVSS 8.8), allows a low privileged user to gain root privileges on the underlying operating system.
Cisco Catalyst SD-WAN is a full software-defined wide area network (SD-WAN) solution. The platform centrally manages and automates how an organization’s physical sites connect to each other. Catalyst SD-WAN supports several WAN transport protocols, including MPLS, broadband internet, and mobile LTE/5G. CVE-2026-20127 impacts both the Catalyst SD-WAN Controller, the control-plane component that distributes routing and policy information to route traffic across the fabric, and Catalyst SD-WAN Manager, the platform used to centrally configure, deploy, and monitor an SD-WAN’s operations.
Exploitation Campaigns Leveraging CVE-2026-20127 and CVE-2022-20775
The Cisco Talos threat intelligence unit has published a blog post describing active exploitation by an otherwise unknown threat actor dubbed UAT-8616. In the observed attacks, CVE-2026-20127 was used to gain initial access. Attackers subsequently downgraded the compromised device’s software to exploit CVE-2022-20775, escalating privileges to the root level. Vulnerabilities in edge-facing network services typically demand urgent action. In the case of CVE-2026-20127, publicly exposed SD-WAN Catalyst Controller systems without strict firewall protection for the NETCONF service (TCP/830) are at critical risk.
The two CVEs implicated in ongoing attacks are described below:
- CVE-2026-20127 (CVSS 10): An unauthenticated, remote attacker can obtain administrative privileges due to an authentication bypass flaw [CWE-287] in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. Exploitation is possible by sending maliciously crafted requests to an unpatched system. Exploitation allows the attacker to log in to the Catalyst SD-WAN Controller as a high-privileged, non-root user and access NETCONF to manipulate network configuration settings for the SD-WAN fabric.
- CVE-2022-20775 (CVSS 7.8): An authenticated, local attacker can gain elevated privileges due to a path traversal flaw [CWE-22][CWE-25] in the command line interface (CLI) of Cisco Catalyst SD-WAN software. Exploitation allows a low-privileged attacker to execute arbitrary commands as the root user. Cisco has released software updates that address this vulnerability. See the vendor’s official advisory for more information.
After gaining initial access via the NETCONF remote service [T1133], attackers were observed creating rogue local accounts [T1136.001], adding root SSH keys for persistence [T1098.004], moving laterally via NETCONF on port 830 and SSH [T1021], and seeking to avoid detection by purging logs [T1070.002] and clearing shell command histories [T1070.003]. According to the ACSC, attackers escalated to root-user privileges by downgrading the software to exploit CVE-2022-20775 [T1068]. After gaining root access, the actors reverted the software back to its original version.
Mitigating the Risk of CVE-2026-20127
Cisco reports that no workarounds exist, but software updates are available to mitigate CVE-2026-20127. Users must upgrade their instance for complete protection. An upgrade matrix is available to help users quickly identify the correct upgrade path, and Cisco has also issued a comprehensive remediation guide. Organizations that may be impacted should also conduct an immediate compromise assessment. A detailed IoC hunt guide has been published by Australia’s NCSC and co-signed by the Five Eyes national security agencies.
The affected versions of Cisco Catalyst SD-WAN are listed in the table below:
The following deployment types are affected for all configurations:
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud — Cisco Managed
- Cisco Hosted SD-WAN Cloud — FedRAMP Environment
Greenbone’s OPENVAS ENTERPRISE FEED includes remote banner checks for both Cisco Catalyst SD-WAN Controller [1] and Cisco Catalyst SD-WAN Manager [2], allowing organizations to detect affected devices within their networks.
Summary
CVE-2026-20127 is a CVSS 10 authentication bypass flaw affecting Cisco Catalyst SD-WAN Controller and Manager. Its active exploitation against high-value and critical infrastructure targets presents critical risk to users globally. No workarounds exist. Defenders should patch with urgency and also perform an immediate compromise assessment according to Cisco’s remediation resources and the IoC hunt guidance issued by the Five Eyes security agencies.
Greenbone’s OPENVAS ENTERPRISE FEED includes remote banner checks for both Cisco Catalyst SD-WAN Controller [1] and Cisco Catalyst SD-WAN Manager [2], allowing organizations to detect affected devices within their networks. Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.
Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.
He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.
Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.
