CVE-2026-20127 - [KEV] - CVSS 10.0

Overview

CVE-2026-20127 is a critical authentication bypass vulnerability (CVSS 10.0) affecting Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). The flaw originates from improper handling within the peering authentication mechanism, which fails to correctly validate identity during inter-component communication. An unauthenticated, remote attacker can send crafted requests to the affected system and authenticate as an internal, high-privileged (non-root) user account.

Once authenticated, the attacker gains access to NETCONF, the standard configuration management interface used by Cisco SD-WAN components. Through NETCONF, the adversary can manipulate the configuration of the entire SD-WAN fabric—altering routing policies, tunnel definitions, access controls, and segmentation enforcement across all managed edge devices. The vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog on 2026-02-25, indicating confirmed active exploitation in the wild. EPSS scoring of 0.397 also reflects elevated exploitation likelihood.

Affected Products

• Cisco Catalyst SD-WAN Controller (formerly Cisco SD-WAN vSmart Controller)
• Cisco Catalyst SD-WAN Manager (formerly Cisco SD-WAN vManage)

Both on-premises and cloud-hosted deployments serving as control-plane or management-plane components for SD-WAN fabrics should be considered in scope until Cisco-published fixed releases are deployed.

Exploitation Evidence

No technical artifacts, indicators of compromise, or public proof-of-concept code are present in the available data set. However, inclusion in the CISA KEV catalog on 2026-02-25 establishes that exploitation has been observed against production environments. Operators should treat exposure of SD-WAN control- and management-plane interfaces to untrusted networks as an active risk and assume opportunistic targeting.

ATT&CK Mapping

No formal ATT&CK mappings are present in the source data. Based on the described capability chain, the following techniques are analytically relevant:

• T1190 – Exploit Public-Facing Application: Initial access via crafted requests to the peering authentication interface.
• T1078 – Valid Accounts: Authentication bypass results in use of an internal high-privileged account.
• T1068 – Exploitation for Privilege Escalation: The flaw yields administrative privileges without credentials.
• T1565 – Data Manipulation and T1496 / T1562 (Defense Evasion via Configuration Change): NETCONF-driven manipulation of SD-WAN fabric configuration enables persistent traffic redirection, policy disablement, or visibility tampering.

Threat Actor Context

No attributed threat actor is recorded in the available data. SD-WAN control-plane compromises have historically been of interest to both state-aligned espionage actors (for traffic interception and lateral pivoting across enterprise WAN segments) and financially motivated intrusion sets seeking persistent network control. Active exploitation status warrants treating the threat as cross-cluster and opportunistic.

Recommended Actions

• Patch immediately: Apply Cisco's fixed releases for Catalyst SD-WAN Controller and Catalyst SD-WAN Manager as published in the corresponding Cisco Security Advisory. Federal civilian agencies are bound by the KEV remediation timeline.
• Restrict control-plane exposure: Ensure SD-WAN Controller and Manager peering, NETCONF (TCP/830), and management interfaces are not reachable from the public internet or untrusted segments. Enforce allowlisting to known fabric peers and administrative jump hosts.
• Audit NETCONF activity: Review NETCONF session logs and configuration change history on Controllers and Managers for unexpected sessions, non-standard source addresses, or unauthorized configuration deltas across the fabric.
• Review internal accounts: Inventory and audit internal high-privileged, non-root service accounts. Rotate credentials and certificates used in the SD-WAN peering trust relationship after patching.
• Hunt for fabric-level tampering: Verify integrity of policy definitions, control policies, data policies, OMP routes, and tunnel configurations against a known-good baseline.
• Increase monitoring: Alert on anomalous authentication events to Controller/Manager, unexpected NETCONF clients, and configuration push events outside of change windows.
• Assume breach where exposed: If management-plane components were internet-reachable prior to patching, conduct a forensic review of the fabric and connected edge devices for evidence of persistence or traffic redirection.