Cisco SD-WAN Controller and Manager Authentication Bypass Vulnerability (CVE-2026-20127)
Cisco released a security update to address an actively exploited vulnerability impacting Cisco Catalyst SD-WAN Controller and SD-WAN Manager. Tracked as CVE-2026-20127, successful exploitation of the vulnerability may allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
CISA also acknowledged the active exploitation of the vulnerability and added it to its Known Exploited Vulnerabilities Catalog. CISA urged users to patch the vulnerability before February 27, 2026.
Cisco Catalyst SD-WAN is a cloud-native, software-defined networking solution that creates a secure, automated overlay across diverse network transports (MPLS, internet, 5G) to connect branches, data centers, and clouds. It uses centralized control to manage, secure, and monitor network traffic, enabling better performance, application visibility, and lower operational costs.
Vulnerability Details
The vulnerability stems from the peering authentication mechanism in an affected system failing to work correctly. An attacker may exploit this vulnerability by sending crafted requests to an affected system. Upon successful exploitation, an attacker could log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, enabling them to manipulate network configuration for the SD-WAN fabric.
Indicators of compromise
Cisco recommends users to audit the auth.log file, located at /var/log/auth.log, for entries that are related to Accepted publickey for vmanage-admin from unknown or unauthorized IP addresses, as shown in the following example:
2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY]
Customers must check the IP address in the auth.log file against the configured System IPs listed in the Cisco Catalyst SD-WAN Manager web UI under WebUI > Devices > System IP.
Affected and Patched Versions
The vulnerability affects the following deployment types:
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud – Cisco Managed
- Cisco Hosted SD-WAN Cloud – FedRAMP Environment
| Cisco Catalyst SD-WAN Release | First Fixed Release |
| Earlier than 20.9 | Migrate to a fixed release |
| 20.9 | 20.9.8.2 (Estimated release February 27, 2026) |
| 20.11 | 20.12.6.1 |
| 20.12.5 20.12.6 |
20.12.5.3 20.12.6.1 |
| 20.13 | 20.15.4.2 |
| 20.14 | 20.15.4.2 |
| 20.15 | 20.15.4.2 |
| 20.16 | 20.18.2.1 |
| 20.18 | 20.18.2.1 |
Customers can refer to the Cisco Security Advisory (cisco-sa-sdwan-rpa-EHchtZk) for information about the vulnerability.
Qualys Detection
Qualys customers can scan their devices with QID 317761 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
Comments are closed.