SD-WAN CVE-2026-20127 Vulnerability

A maximum-severity vulnerability, tracked as CVE-2026-20127 (CVSS score: 10.0), has been identified in Cisco Systems Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. The flaw enables an unauthenticated remote attacker to bypass authentication controls and gain administrative access by sending a specially crafted request to a vulnerable system.

The issue stems from a failure in the peering authentication mechanism, allowing an adversary to log in as an internal, high-privileged non-root user. With this level of access, attackers can interact with NETCONF services and manipulate SD-WAN fabric configurations, potentially compromising the integrity and availability of enterprise networks.

Affected Deployment Models

The vulnerability impacts multiple deployment models, regardless of configuration:

• On-prem deployments
• Cisco Hosted SD-WAN Cloud
• Cisco Hosted SD-WAN Cloud – Cisco Managed
• Cisco Hosted SD-WAN Cloud – FedRAMP Environment

Systems exposed to the public internet, particularly those with open ports, face significantly elevated risk of compromise.

Active Exploitation and Threat Actor Activity

Security researchers have confirmed active exploitation dating back to 2023. The campaign is being tracked under the designation UAT-8616, assessed as a highly advanced threat cluster. Evidence indicates that the group leveraged this zero-day vulnerability to infiltrate Cisco SD-WAN environments and obtain persistent elevated access.

The attack methodology includes the creation of a rogue peer that joins the SD-WAN management or control plane. This malicious device appears as a legitimate but temporary SD-WAN component, enabling trusted interactions within the management infrastructure.

Following initial compromise of an internet-facing application, attackers have exploited the built-in update mechanism to downgrade software versions. This downgrade facilitates exploitation of CVE-2022-20775 (CVSS score: 7.8), a high-severity privilege escalation flaw in the Cisco SD-WAN Software CLI. Once root privileges are obtained, the attackers restore the system to its original software version to minimize detection.

Post-compromise actions attributed to UAT-8616 include:

• Creation of local user accounts designed to resemble legitimate accounts
• Insertion of SSH authorized keys for root access and modification of SD-WAN startup scripts
• Use of NETCONF over port 830 and SSH for lateral movement within the management plane
• Log tampering, including deletion of files under /var/log, command history, and network connection records

This activity reflects a broader trend of sophisticated actors targeting network edge infrastructure to establish durable footholds in high-value environments, including critical infrastructure sectors.

Patching and Remediation Guidance

Cisco has released fixes across multiple software trains. Organizations operating vulnerable versions must upgrade to remediated releases, including:

• Versions prior to 20.9.1: migrate to a fixed release
• 20.9: upgrade to 20.9.8.2
• 20.11.1: upgrade to 20.12.6.1
• 20.12.5: upgrade to 20.12.5.3
• 20.12.6: upgrade to 20.12.6.1
• 20.13.1, 20.14.1, 20.15: upgrade to 20.15.4.2
• 20.16.1 and 20.18: upgrade to 20.18.2.1

In addition to patching, organizations should conduct forensic validation. Recommended actions include reviewing the /var/log/auth.log file for entries referencing 'Accepted publickey for vmanage-admin' originating from unknown IP addresses. Any suspicious IPs should be cross-referenced with configured System IPs listed in the Cisco Catalyst SD-WAN Manager Web UI under Devices > System IP.

To detect potential downgrade or unexpected reboot events, the following log files should be analyzed:

• /var/volatile/log/vdebug
• /var/log/tmplog/vdebug
• /var/volatile/log/sw_script_synccdb.log

Federal Mandates and Regulatory Response

In response to confirmed exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) added both CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch agencies are required to remediate these vulnerabilities within 24 hours.

CISA has also issued Emergency Directive 26-03, titled 'Mitigate Vulnerabilities in Cisco SD-WAN Systems.' The directive mandates federal agencies to inventory all in-scope SD-WAN assets, apply security updates, and assess for indicators of compromise.

Compliance deadlines require agencies to:

• Submit a catalog of all in-scope SD-WAN systems by February 26, 2026, 11:59 p.m. ET.
• Provide a detailed inventory of affected products and remediation actions by March 5, 2026, 11:59 p.m. ET.
• Report all environment hardening measures by March 26, 2026, 11:59 p.m. ET.

These developments underscore the urgent need for proactive patch management, continuous monitoring, and defensive hardening of network edge infrastructure to mitigate advanced persistent threats targeting SD-WAN environments.