UK , US, Canada, Australia and New Zealand government security agencies have urged Cisco customers to patch a critical zero-day in SD-WAN that has been exploited since 2023.
The vulnerability, CVE-2026-20127, is an authentication bypass in the peering mechanism of Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and SD-WAN Manager (formerly SD-WAN vManage), with a maximum CVSS score of 10.0, and, according to Cisco, could allow an unauthenticated remote attacker to obtain administrative privileges by sending crafted requests.
The advisory notes that a successful exploit could let an attacker log in as an internal, high-privileged, non-root user and then access NETCONF to manipulate SD-WAN fabric configuration. A detailed Five Eyes threat-hunt guide indicates sophisticated actors downgraded target systems to an older version and then restored to the original to gain root access, and customers are urged to patch both the legacy 2022 bug CVE-2022-20775 and the new zero-day after Cisco released a fix yesterday, according to Cisco.
CISA has issued an emergency directive requiring all federal agencies to patch the vulnerabilities by 5pm ET on 27 February 2026, with authority that “the ease with which these vulnerabilities can be exploited demands immediate action from all federal agencies.”