- February 25, 2026
Critical Vulnerability in Cisco SD-Wan Systems Under Active Exploitation (CVE-2026-20127)
On February 25th, Cisco disclosed a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager systems. The flaw allows an unauthenticated attacker with network access to the SD-WAN peering service to bypass authentication and establish unauthorized control-plane connections. This vulnerability has been exploited in the wild according to Cisco by a sophisticated threat actor with evidence of exploitation reaching back to 2023.
Executive Summary
On February 25th, Cisco disclosed a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager systems. The flaw allows an unauthenticated attacker with network access to the SD-WAN peering service to bypass authentication and establish unauthorized control-plane connections.
Successful exploitation enables an attacker to provision a rogue peer into the SD-WAN fabric and may allow the attacker to obtain elevated access to the affected controller. Cisco Talos has confirmed active exploitation of this vulnerability by a sophisticated threat actor, with evidence of malicious activity dating back to 2023. The vulnerability, now tracked as CVE-2026-20127, was confirmed as a zero-day following investigations in late 2025.
Given confirmed active exploitation and public disclosure, Beazley Security believes that additional threat actors will begin to weaponize this flaw. Organizations operating Cisco Catalyst SD-WAN systems, especially those with externally accessible peering services, should review systems for signs of compromise and patch immediately.
Affected Systems or Products
Product | Affected Versions | Fixed Versions | Availability |
|---|---|---|---|
Cisco Catalyst SD-WAN Release | 20.9 | 20.9.8.2 | February 27, 2026 (estimated) |
Cisco Catalyst SD-WAN Release | 20.12.5 | 20.12.5.3 | Available now |
Cisco Catalyst SD-WAN Release | 20.12.6 | 20.12.6.1 | Available now |
Cisco Catalyst SD-WAN Release | 20.15 | 20.15.4.2 | Available now |
Cisco Catalyst SD-WAN Release | 20.18 | 20.18.2.1 | Available now |
According to Cisco’s official advisory, organizations running versions earlier than 20.9, or versions 20.11, 20.13, 20.14, and 20.16 (which have reached End of Software Maintenance) should migrate to a supported fixed release immediately.
Mitigations / Workarounds
Cisco has released software updates addressing CVE-2026-20127 and applying the vendor provided patches to affected Cisco SD-WAN controller and manager systems is the recommended course of action to reduce risk.
Beyond patching, organizations should consider reviewing Cisco’s SD-WAN hardening guide including steps to:
Inventory and audit expected peer networks within SD-WAN infrastructure.
Reduce internet exposure by locking SD-WAN controller peering services down to known and authorized peer networks.
Restrict access to SD-WAN controller and management planes to a dedicated administrative network.
Affected organizations that are unable to immediately patch should ensure strict network access controls are in place around SD-WAN controllers, related peering services, and check audit logs any signs of compromise.
Patches
At the time of writing, Cisco has released fixes for all supported versions of their Catalyst SD- Wan solution except for 20.9 which is estimated to be released February 27, 2026. Please see the Affected System and Products section above in this report for additional information.
Cisco’s original advisory provides this guidance document for obtaining software fixes and the vendor also hosts a software download center requiring login.
Alternatively, customers can contact Cisco’s Technical Assistance Center (TAC) to request additional software upgrade support.
Indicators of Compromise
A detailed Cisco SD-WAN threat hunting guide has been compiled by multiple agencies which includes post-exploitation activity and can be found here.
Cisco Talos has also provided validation checks that can be performed within SD-Wan logging:
Peer type mismatches for your environment, especially vManage peering types if not expected as exampled in the log below:
Feb 20 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-
NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanage peer-
system-ip:1.1.1.10 public-ip:<unexpected IP> public-port:12345 domain-id:1 site-id:1005
Peering connections from unexpected or unrecognized IP addresses
Peering connections established outside of expected windows your environment
Logs showing indicators of CVE-20222-20775 exploitation - username path traversal strings (E.g.
/../../or/\n&../\n&../).Unexpected reboots, and upgraded versions reverting to previous software versions
Evidence of log and history clearing
Technical Details
CVE-2026-20127 is reported as a critical vulnerability within the peering authentication flow of Cisco Catalyst SD-WAN components, affecting the control connection peering mechanism that establishes trust relationships between SD-WAN components.
The flaw allows an unauthenticated attacker to establish rogue peer connections originating from attacker-controlled infrastructure. If successfully exploited, the rogue peer is given an IP address within the SD-WANs network, allowing a threat actor access to the SD-WAN management and control plane. With adequate privileges to the SD-WAN controller, an attacker can further leverage NETCONF to manipulate and alter configurations within the SD- WAN network.
Cisco Talos has reported that CVE-2026-20127 was observed to be abused in combination with CVE-2022-20775, an older local privilege escalation vulnerability affecting Cisco SD-Wan software. The threat actor, tracked as UAT-8616 reportedly performed a software downgrade to a vulnerable version of software, exploited CVE-2022-20775 via the CLI to obtain root access, and then restored back to original versioning to persist root access.
In response to active exploitation, the U.S. Cyber Security and Infrastructure Security Agency (CISA) has issued emergency directive 26-03 requiring impacted agencies to apply Cisco provided updates by February 27th, 2026.
Beazley Security recommends that affected organizations check for signs of compromise, and upgrade to fixed versions of SD-WAN Controller or SD-WAN Manager software immediately.
This Cisco SD-WAN hardening guide can also be referenced for configuring SD-WAN fabric and implementations to best practices.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients. If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.