A critical zero-day vulnerability in Cisco SD-WAN products has been actively exploited by advanced threat actors since at least 2023. The security flaw, identified as CVE-2026-20127, affects Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). With a CVSS score of 10.0, this vulnerability represents the highest level of severity.
According to Cisco, attackers can exploit this flaw remotely without authentication, allowing them to gain administrative-level access to affected systems. This discovery has raised serious concerns for enterprises, government agencies, and critical infrastructure operators that rely on Cisco SD-WAN technology.
CVE-2026-20127 is an authentication bypass vulnerability. It allows an unauthenticated remote attacker to send a specially crafted request to a vulnerable Cisco SD-WAN system. If successful, the attacker can log in as a high-privileged internal user (non-root) and gain control over key SD-WAN functions.
Cisco explained that the vulnerability exists due to a failure in the peering authentication mechanism, which is responsible for verifying trusted devices within the SD-WAN control plane. Because this mechanism does not function correctly, attackers can impersonate trusted peers.
Once access is gained, attackers can use NETCONF to manipulate network configurations, monitor traffic, or move laterally across the SD-WAN environment.
The vulnerability impacts multiple Cisco SD-WAN deployment models, regardless of device configuration. These include:
On-Premises Deployments
Cisco Hosted SD-WAN Cloud
Cisco Hosted SD-WAN Cloud (Cisco Managed)
Cisco Hosted SD-WAN Cloud – FedRAMP Environment
This wide attack surface makes CVE-2026-20127 especially dangerous, as both private organizations and government environments are affected.
The vulnerability was responsibly disclosed by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC). However, investigations revealed that threat actors had already been exploiting this zero-day flaw for years before it was publicly known.
Cisco is tracking the malicious activity under the name UAT-8616, describing the group as a highly sophisticated cyber threat actor. The attackers reportedly used the vulnerability to create rogue SD-WAN peers that temporarily joined the management and control plane.
These rogue devices appeared legitimate and were able to perform trusted actions inside the network, making detection extremely difficult.
After gaining initial access through CVE-2026-20127, attackers performed several advanced post-compromise actions, including:
Creating fake local user accounts that closely resembled legitimate ones
Adding SSH authorized keys to enable persistent root access
Modifying SD-WAN startup scripts to customize the environment
Using NETCONF (port 830) and SSH to move between SD-WAN devices
Deleting logs, command history, and network records to hide evidence
In some cases, attackers downgraded the software version to exploit CVE-2022-20775, a known Cisco SD-WAN privilege escalation vulnerability. This allowed them to gain root access before restoring the system to its original version.
Cisco Talos (Cisco Talos) noted that this activity reflects a growing trend of targeting network edge devices to establish long-term access to high-value environments, including critical infrastructure sectors.
Cisco has released patches and fixed versions to address CVE-2026-20127. Customers are strongly advised to upgrade immediately.
Versions prior to 20.9.1 – Migrate to a fixed release
20.9 → Fixed in 20.9.8.2
20.11 → Fixed in 20.12.6.1
20.12.5 → Fixed in 20.12.5.3
20.12.6 → Fixed in 20.12.6.1
20.13 → Fixed in 20.15.4.2
20.14 → Fixed in 20.15.4.2
20.15 → Fixed in 20.15.4.2
20.16 → Fixed in 20.18.2.1
20.18 → Fixed in 20.18.2.1
Cisco warned that internet-exposed SD-WAN controllers with open ports are at the highest risk of compromise.
Cisco recommends that administrators review the following log file:
Specifically, look for entries such as:
Accepted publickey for vmanage-admin
Any login attempts from unknown or unauthorized IP addresses should be treated as suspicious. Administrators should also compare IP addresses in the logs with the configured System IPs listed in the SD-WAN Manager Web UI.
The seriousness of the issue prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add both CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) Catalog.
CISA issued Emergency Directive 26-03, requiring U.S. federal agencies to:
Identify all Cisco SD-WAN devices on their networks
Apply security updates immediately
Investigate signs of compromise
To detect software downgrades or unexpected reboots, agencies are advised to review:
/var/volatile/log/vdebug/var/log/tmplog/vdebug/var/volatile/log/sw_script_synccdb.log
Agencies must also submit inventories and remediation reports by strict deadlines in early 2026.
CVE-2026-20127 highlights the growing risk posed by zero-day vulnerabilities in network infrastructure devices. Cisco SD-WAN systems, often placed at the edge of enterprise networks, are attractive targets for advanced threat actors seeking stealthy, long-term access.
Organizations using Cisco SD-WAN should treat this vulnerability as urgent, apply patches immediately, and perform thorough forensic reviews. Failure to act could result in full network compromise, data exposure, and long-term persistence by attackers.
Interesting Article : FileZen CVE-2026-25108 Actively Exploited Command Injection Vulnerability