CVE-2026-20127 – Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Overview & Takeaways

A critical authentication bypass vulnerability (CVE-2026-20127) has been identified in Cisco Catalyst SD-WAN Controller and Manager. This flaw allows unauthenticated, remote attackers to gain administrative privileges on affected systems. Exploitation in the wild has been confirmed, and immediate action is required to mitigate risk. 

What do I need to know? 

• Vulnerability: CVE-2026-20127 
• Severity: Critical (CVSS 3.1 Score: 10.0) 
• Attack Vector: Remote, unauthenticated attacker can send crafted requests to bypass authentication. 
• Root Cause: Improper functioning of the peering authentication mechanism. 
• Impact: Successful exploitation grants high-privileged (non-root) access, enabling attackers to manipulate SD-WAN fabric configurations via NETCONF. 

Products and Systems Affected 

Affected Products:

• Cisco Catalyst SD-WAN Controller (formerly vSmart) 
• Cisco Catalyst SD-WAN Manager (formerly vManage) 
• All deployment types: On-Prem, Cisco Hosted SD-WAN Cloud, Cisco Managed, FedRAMP environments 

What do I need to do? 

We recommend the following steps to identify and remediate this vulnerability: 

• Apply Patches: Cisco has released software updates to address this vulnerability. Refer to the Cisco Security Advisory for fixed versions. 
• No Workarounds: There are no workarounds available. 
• Audit and Monitor:  
  • Review SD-WAN Controller and Manager logs for unauthorized access attempts. 
  • Implement Cisco’s recommended Indicators of Compromise (IoCs) from the advisory. 
• Network Hardening: Restrict management access to trusted IP ranges and enforce strong segmentation. 

Additional Resources 

• Cisco Security Advisory 
• NVD CVE Entry 
• CISA Known Exploited Vulnerabilities Catalog