Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access

As part of malicious activity that began in 2023, a recently revealed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has been actively exploited in the wild This article explores cisco stated vulnerability. . By sending a specially constructed request to an affected system, an unauthenticated remote attacker can get past authentication and gain administrative privileges on the compromised system.

This vulnerability is known as CVE-2026-20127 (CVSS score: 10.0). An adversary could gain elevated privileges on the system as an internal, high-privileged, non-root user account if the vulnerability is successfully exploited.

In an advisory, Cisco stated that "this vulnerability exists because the peering authentication mechanism in an affected system is not working properly." The threat actor could use the non-root user account to gain access to NETCONF and change the SD-WAN fabric's network configuration. Regardless of the device configuration, the following deployment types are impacted by the flaw: On-Prem Deployment Cisco Managed Cisco Hosted SD-WAN Cloud Cisco Hosted SD-WAN Cloud FedRAMP Environment Cisco acknowledged that the vulnerability was reported by the Australian Cyber Security Centre (ASD-ACSC) of the Australian Signals Directorate.

The attempted exploitation of UAT-8616, according to Talos, "indicates a continuing trend of cyber threat actors targeting network edge devices looking to establish persistent footholds into high-value organizations, including Critical Infrastructure (CI) sectors."

Federal Civilian Executive Branch (FCEB) agencies are required to implement the fixes within the next 24 hours as a result of the development, which led the Cybersecurity and Infrastructure Security Agency (CISA) to add both CVE-2022-20775 and CVE-2026-20127 to its Known Exploited Vulnerabilities (KEV) catalog. CISA advises examining the following logs to look for unexpected reboot events and version downgrades: /var/volatile/log/vdebug /var/log/tmplog/vdebug /var/volatile/log/sw_script_synccdb.log Additionally, federal agencies must inventory SD-WAN devices, apply updates, and evaluate potential compromises in accordance with a new emergency directive issued by CISA, 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems. Therefore, by February 26, 2026, at 11:59 p.m.

ET, agencies are required to submit a catalog of all in-scope SD-WAN systems on their networks.