CVE-2026-20127

CRITICAL CISA KEV EPSS 99.0%
Published Feb 25, 20264mo ago · Modified Jun 17, 20261w ago
10.0 CVSS 3.1
Critical
Find Similar
Published Feb 25, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago
KEV Listed Feb 25, 2026 4mo ago
KEV Due Feb 27, 2026 123d overdue

Description

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. 

CVSS Details

Base Score
10.0
Exploitability
3.9
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

CISA Known Exploited Overdue 123d
Added
Feb 25, 2026
Due
Feb 27, 2026

Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

EPSS Exploit Probability
99.0% percentile
Exploit & Patch Status
Actively Exploited (KEV)
No Patch Available

Weaknesses 1

CWE-287 Improper Authentication Authentication

Affected Products 15

VendorProductVersionRange
ciscocatalyst_sd-wan_manager* <20.9.8.2
ciscocatalyst_sd-wan_manager*≥20.11  –  <20.12.5.3
ciscocatalyst_sd-wan_manager*≥20.13  –  <20.15.4.2
ciscocatalyst_sd-wan_manager*≥20.16  –  <20.18.2.1
ciscocatalyst_sd-wan_manager20.12.6any
ciscosd-wan_vbond_orchestrator* <20.9.8.2
ciscosd-wan_vbond_orchestrator*≥20.11  –  <20.12.5.3
ciscosd-wan_vbond_orchestrator*≥20.13  –  <20.15.4.2
ciscosd-wan_vbond_orchestrator*≥20.16  –  <20.18.2.1
ciscosd-wan_vbond_orchestrator20.12.6any
ciscosd-wan_vsmart_controller* <20.9.8.2
ciscosd-wan_vsmart_controller*≥20.11  –  <20.12.5.3
ciscosd-wan_vsmart_controller*≥20.13  –  <20.15.4.2
ciscosd-wan_vsmart_controller*≥20.16  –  <20.18.2.1
ciscosd-wan_vsmart_controller20.12.6any

References 2

  • sec.cloudapps.cisco.com https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
    Vendor Advisory
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20127
    US Government Resource

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.