Overview
On February 25, 2026, Cisco disclosed a critical authentication bypass vulnerability in Cisco Catalyst SD‑WAN Controller and Cisco Catalyst SD‑WAN Manager, tracked as CVE‑2026‑20127, that allows an unauthenticated attacker to gain administrative access to affected systems. The Cisco Catalyst SD-WAN Controller and Manager are core components of Cisco’s software-defined wide area networking (SD-WAN) architecture. The issue was originally identified and reported by Australian cybersecurity authorities, who observed real‑world attacks leveraging this flaw.
Customers running these products must urgently upgrade to a fixed release to prevent further compromise. This vulnerability affects the following deployment types:
On-Prem Deployment
Cisco Hosted SD-WAN Cloud
Cisco Hosted SD-WAN Cloud - Cisco Managed
Cisco Hosted SD-WAN Cloud - FedRAMP Environment
At the time of disclosure, Cisco Talos published a report that outlined how malicious actors in the wild leveraged CVE-2026-20127 to gain initial access, then downgraded the software version on the compromised system for post-exploitation activity. After the targeted system had been downgraded to an older vulnerable firmware release, the attackers exploited CVE-2022-20775 to escalate privileges and gain root access to the system. This exploitation in the wild led CISA to issue an emergency directive to Federal Civilian Executive Branch (FCEB) agencies requiring that patches be installed by 5:00PM ET February 27, 2026.
Mitigation guidance
At the time of the advisory’s publication, Cisco does not recommend any workaround strategies for remediation. Organizations running affected instances of Cisco Catalyst SD-WAN Controller or Cisco Catalyst SD-WAN Manager should prioritize upgrading to a fixed version, as outlined below, to remediate CVE-2026-20127.
Affected Cisco Catalyst SD-WAN major version recommendations:
20.11 Release - upgrade to version 20.12.6.1 or above.
20.12.5 Release - upgrade to version 20.12.5.3 or above.
20.12.6 Release - upgrade to version 20.12.6.1 or above.
20.13 Release - upgrade to version 20.15.4.2 or above.
20.14 Release - upgrade to version 20.15.4.2 or above.
20.15 Release - upgrade to version 20.15.4.2 or above.
20.16 Release - upgrade to version 20.18.2.1 or above.
20.18 Release - upgrade to version 20.18.2.1 or above.
20.9 Release - upgrade to version 20.9.8.2 or above (Cisco estimates a patch availability date of February 27, 2026 for this release).
Systems running release versions below 20.9 should be migrated to a newer major version with a fix available.
For the latest guidance, refer to the official vendor advisory.
Artifacts/Evidence Sources and IOCs
For any potentially compromised systems, Cisco recommends specific detection and forensic analysis steps to identify exploitation of CVE-2026-20127. According to Cisco, defenders should look for control connection peering events in Cisco Catalyst SD-WAN logs; Cisco states that all peering events will require manual validation to confirm if the events are valid or not, using the following steps:
Verify the timestamp of each peering event against known maintenance windows, scheduled configuration changes, and normal operational hours for your environment.
Confirm the public IP address corresponds to infrastructure owned or operated by your organization or authorized partners by cross-referencing against asset inventories and authorized IP ranges.
Validate the peer system IP matches documented device assignments within your Cisco Catalyst SD-WAN topology.
Review the peer type (vmanage, vsmart, vedge, vbond) to ensure it aligns with expected device roles in your deployment.
Correlate multiple events from the same source IP or system IP to identify patterns of reconnaissance or persistent access attempts.
Cross-reference event timing with authentication logs, change management records, and user activity to establish whether the connection was initiated by authorized personnel.
Rapid7 customers
Exposure Command, InsightVM, and Nexpose
Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-20127 with authenticated checks expected to be available in the Feb 26 content release.
Updates
February 25, 2026: Initial publication.
