ON 25 February 2026, Cisco disclosed a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, tracked as CVE-2026-20127, which allows an unauthenticated attacker to gain administrative access to affected systems. The issue, observed in real‑world attacks, is part of Cisco’s software‑defined wide area networking (SD‑WAN) architecture, and was identified and reported by Australian cybersecurity authorities.
According to Cisco, defenders should upgrade to a fixed release, as remediation workarounds are not recommended. The directive prompted an emergency directive from CISA requiring patches by 5:00PM ET on 27 February 2026 for Federal Civilian Executive Branch agencies. Affected deployment types include On-Prem Deployment, Cisco Hosted SD‑WAN Cloud, Cisco Hosted SD‑WAN Cloud – Cisco Managed, and Cisco Hosted SD‑WAN Cloud – FedRAMP Environment.
Cisco Talos published a report describing how attackers used CVE-2026-20127 to gain initial access before downgrading firmware and exploiting CVE-2022-20775 to escalate privileges.