CVE-2026-20127
Description
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
8cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*range: <20.9.8.2
- cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.6:*:*:*:*:*:*:*
- (no CPE)
- (no CPE)range: 20.1.12
cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:*range: <20.9.8.2
- cpe:2.3:a:cisco:sd-wan_vsmart_controller:20.12.6:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
2- sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZknvdVendor Advisory
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource
News mentions
33- Cisco Vulnerability Exploited Months Before Disclosure, Google WarnsInfosecurity Magazine · Jun 25, 2026
- Cisco SD-WAN Zero-Day Exploited Months Before PatchingSecurityWeek · Jun 25, 2026
- Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root AccessThe Hacker News · Jun 25, 2026
- Mandiant reveals how Cisco SD-WAN zero-day attacks gained root accessBleepingComputer · Jun 24, 2026
- Attackers Hit Cisco SD-WAN Flaw 2 Months Before DisclosureDark Reading · Jun 24, 2026
- Malicious hackers exploit Cisco zero-day for highest access level at communications service providerCyberScoop · Jun 24, 2026
- Hackers Exploiting Cisco Catalyst SD-WAN Manager 0-Day Flaw to Gain Root-Level AccessCyber Security News · Jun 24, 2026
- Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN ManagerMandiant Threat Intelligence · Jun 24, 2026
- ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More StoriesThe Hacker News · Jun 18, 2026
- Cisco adds another SD-WAN box to max-severity bug advisoryThe Register Security · Jun 17, 2026
- Cisco discloses second exploited SD-WAN vulnerability in two weeks (CVE-2026-20262)Help Net Security · Jun 16, 2026
- Cisco Patches Another SD-WAN Zero-Day Exploited in AttacksSecurityWeek · Jun 16, 2026
- Cisco Releases Security Updates for Actively Exploited SD-WAN Manager FlawThe Hacker News · Jun 16, 2026
- Cisco customers encounter another SD-WAN zero-day under attackCyberScoop · Jun 9, 2026
- Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch AvailableThe Hacker News · Jun 6, 2026
- Yet another Cisco SD-WAN 0-day under attack, and no patch in sightThe Register Security · Jun 5, 2026
- Cisco SD-WAN 0-day exploited, no patch available (CVE-2026-20245)Help Net Security · Jun 5, 2026
- Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root UserCyber Security News · Jun 5, 2026
- Cisco warns of unpatched SD-WAN zero-day exploited in attacksBleepingComputer · Jun 5, 2026
- Cisco Warns of 7th SD-WAN Zero-Day Exploited in 2026SecurityWeek · Jun 5, 2026
- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026
- Cisco zero-day under ongoing attack by persistent threat groupCyberScoop · May 15, 2026
- Cisco patches another actively exploited SD-WAN zero-day (CVE-2026-20182)Help Net Security · May 15, 2026
- Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026SecurityWeek · May 15, 2026
- CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access ExploitsThe Hacker News · May 15, 2026
- Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)Tenable Blog · May 15, 2026
- Maximum Severity Cisco SD-WAN Bug Exploited in the WildDark Reading · May 14, 2026
- Cisco warns of new critical SD-WAN flaw exploited in zero-day attacksBleepingComputer · May 14, 2026
- Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin AccessThe Hacker News · May 14, 2026
- Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilitiesCisco Talos Intelligence · May 14, 2026
- CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED)Rapid7 Blog · May 14, 2026
- The Dark Side of Efficiency: When Network Controllers Become "God Mode" for AttackersRapid7 Blog · May 14, 2026
- CISA Issues Emergency Directive Over Exploited Cisco SD-WAN FlawsInfosecurity Magazine · Mar 12, 2026