Cisco has confirmed a critical vulnerability, CVE‑2026‑20127, in its Catalyst SD‑WAN product line. The flaw, rated with a CVSS score of 10.0, stems from an improper authentication mechanism in the peering authentication process. By sending specially crafted requests, an unauthenticated remote attacker can bypass authentication and gain administrative privileges, enabling full control over the device’s configuration and traffic routing.
The vulnerability has been actively exploited since at least 2023. Threat actors, identified by Cisco Talos as UAT‑8616, have used CVE‑2026‑20127 to insert rogue peers and establish long‑term persistence. In many cases, attackers subsequently leveraged a related flaw, CVE‑2022‑20775, to elevate privileges to root, often through a software downgrade and restoration cycle. This two‑step attack chain allows attackers to maintain hidden, high‑privilege access within victim networks, posing a significant espionage and data‑theft risk to large enterprises and critical infrastructure.
Affected deployments include on‑premises Catalyst SD‑WAN controllers and managers, as well as Cisco‑Hosted SD‑WAN Cloud environments (including Managed and FedRAMP). The flaw impacts all software releases prior to 20.9 and specific versions within the 20.9, 20.11, 20.12, 20.13, 20.14, 20.15, 20.16, and 20.18 release trains. Cisco’s advisories list the exact patch versions that remediate the issue; releases 20.18 and later are generally not affected by the related CVE‑2022‑20775 vulnerability.
On February 26, 2026, the U.S. Cybersecurity and Infrastructure Security Agency issued Emergency Directive 26‑03, mandating that all civilian federal agencies inventory their Cisco Catalyst SD‑WAN systems, apply the available patches, and assess for compromise by 5:00 PM ET on February 27, 2026. The directive’s deadline aligns with the vulnerability’s exploitation window and underscores the urgency of remediation across federal networks.
The discovery of CVE‑2026‑20127 highlights the growing sophistication of state‑aligned threat actors targeting critical network infrastructure. Enterprises that rely on Cisco SD‑WAN must prioritize patching, conduct thorough inventory checks, and monitor authentication logs for anomalous “Accepted publickey for vmanage‑admin” entries from unknown IP addresses. Failure to act promptly could expose sensitive data and disrupt mission‑critical services, especially in sectors such as energy, finance, and government.
The content on EveryTicker is for informational purposes only and should not be construed as financial or investment advice. We are not financial advisors. Consult with a qualified professional before making any investment decisions. Any actions you take based on information from this site are solely at your own risk.