CISA has added CVE-2026-20127, the Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability, to its Known Exploited Vulnerabilities catalogue. The issue affects Cisco Catalyst SD‑WAN Controller (formerly SD‑WAN vSmart) and Cisco Catalyst SD‑WAN Manager (formerly SD‑WAN vManage) and allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges.
The flaw is an authentication bypass in the peering authentication mechanism. An attacker can send crafted requests to an affected system to log in as an internal, high‑privileged, non‑root account. From that account an attacker can access NETCONF and manipulate SD‑WAN fabric configuration. The NVD lists a CVSS score of 10.0 (CRITICAL). Patch status is currently unknown and no vendor advisory patch URL is provided in the KEV entry.
CISA’s inclusion indicates active exploitation has been confirmed. There is no information in the KEV entry linking the vulnerability to any known ransomware campaign (status: unknown). CISA sets the remediation due date as 2026-02-27.
CISA’s required action instructs organisations to adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD‑WAN devices as outlined in Emergency Directive 26‑03 and the supplemental “Hunt & Hardening Guidance for Cisco SD‑WAN Devices,” and to adhere to applicable BOD 22‑01 guidance for cloud services or discontinue use of the product if mitigations are not available. Federal Civilian Executive Branch (FCEB) agencies are directly affected by the directive; all organisations using affected Cisco SD‑WAN products should review their exposure immediately.
See the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-20127) and the CISA KEV catalogue for full details.