Home Cisco CVE-2026-20127
CRITICAL: THIS VULNERABILITY IS ACTIVELY BEING EXPLOITED IN THE WILD (CISA KEV CATALOG)
Back to Cisco

CVE-2026-20127

Exploited

Catalyst SD-WAN Controller - Peering Authentication

Cisco CVSS 10 Updated March 16, 2026

Executive Risk Summary

"A vulnerability in the peering authentication of Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges. This could enable the attacker to manipulate network configuration for the SD-WAN fabric."

Operational Audit Arsenal

Target Type Firmware
Target Asset Cisco Catalyst SD-WAN Controller
Standard Path SD-WAN Controller Device

Manual Verification Required

This is a non-Windows asset (Cisco). Use the target asset details above to verify your version against vendor advisories.

Patch Impact Forecast

Reboot Required Likely

Potential network disruption during patching

Internal Work Notes

CVE-2026-20127: Unauthenticated remote attacker could bypass authentication on Cisco Catalyst SD-WAN Controller, obtain admin privileges, and manipulate SD-WAN fabric configuration. Verify firmware version and apply patch as recommended by Cisco.

Intelligence Sources

Official Advisoryhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
CISA KEV Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20127

Related Cisco Threats

CVE-2025-20188 CVSS 10

Cisco IOS XE - Wireless LAN Controllers
CVE-2026-20079 CVSS 10

Secure Firewall Management Center (FMC) Software
CVE-2025-20281 CVSS 10

Cisco ISE - API

Scope of Impact

Cisco Catalyst Sd-Wan Manager (Version 20.12.6)Cisco Catalyst Sd-Wan ManagerCisco Sd-Wan Vsmart ControllerCisco Sd-Wan Vsmart Controller (Version 20.12.6)

Original NVD Description

"A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. "

Data compiled from NVD, MSRC, and CISA KEV Catalog. Intelligence synthesized via AI. Scripts provided for diagnostic purposes under MIT License.