U .S. CISA has added two Cisco SD-WAN flaws to its Known Exploited Vulnerabilities catalog, namely CVE-2022-20775 and CVE-2026-20127, with the latter carrying a CVSS score of 10.0 and being described as an authentication bypass affecting the Cisco Catalyst SD-WAN Controller and Manager.
The advisory notes that the vulnerability has been actively exploited since 2023, enabling remote, unauthenticated attackers to bypass authentication and gain full administrative access by sending crafted requests to vulnerable systems. Cisco has issued updated Catalyst SD-WAN releases to address the issue, and customers running versions prior to 20.9.1 are urged to migrate to a patched release; the affected environments include on‑prem deployments and various Cisco Hosted SD-WAN offerings.
According to Cisco Talos, the exploitation is tracked as UAT-8616, with evidence suggesting the actor downgraded software to escalate to root and then exploited CVE-2022-20775 before restoring the original version to maintain stealth. The campaign highlights ongoing targeting of network edge devices to secure persistent access to high‑value infrastructure, and customers are urged to apply the security updates promptly.