A critical authentication‑bypass flaw in Cisco Catalyst SD‑WAN, tracked as CVE‑2026‑20127, is being actively exploited as a zero‑day. The vulnerability allows remote attackers to compromise controllers and introduce malicious rogue peers into targeted networks. Review the Cybersecurity Threat Advisory now to help protect your systems from this high‑severity vulnerability.
What is the threat?
The vulnerability in Cisco Catalyst SD‑WAN Controller and Cisco Catalyst SD‑WAN Manager enables an unauthenticated attacker to gain administrative access to affected systems. These products are core to Cisco’s software‑defined wide‑area networking (SD‑WAN) architecture. The flaw carries a CVSS score of 10.0, reflecting its maximum possible severity.
Why is it noteworthy?
A defect in the peering authentication process of Cisco Catalyst SD‑WAN Controller (formerly vSmart) and Cisco Catalyst SD‑WAN Manager (formerly vManage) allows remote attackers to bypass authentication and obtain high‑privilege access. The issue stems from a failure in the authentication mechanism, which can be exploited through specially crafted requests sent to vulnerable systems. Successful exploitation lets an attacker log in using an internal, high‑privileged, non‑root account and use NETCONF to alter SD‑WAN fabric configurations.
What is the exposure or risk?
The risk posed by CVE‑2026‑20127 is severe. An unauthenticated attacker can gain high‑privilege control of Cisco Catalyst SD‑WAN Controller and Manager, giving them the ability to alter configurations, add rogue peers, and manipulate routing across branches and data centers. This could lead to traffic interception, redirection, or disruption—resulting in data theft, man‑in‑the‑middle attacks, and widespread outages. Because these components sit at the core of SD‑WAN operations, compromising a single controller or manager can trigger cascading impacts across all connected locations, enabling broad disruption and deep lateral movement within the network.
What are the recommendations?
Barracuda strongly recommends taking the following actions:
- Upgrade Cisco Catalyst SD‑WAN Controller and Manager to the fixed versions provided by Cisco.
- Ensure these systems are not exposed directly to the internet.
- Place management interfaces behind a VPN, jump host, or dedicated management network accessible only from trusted admin subnets.
- Use firewalls or ACLs to restrict access to specific management IPs.
- Enforce multi‑factor authentication (MFA) for all administrative access when possible.
- Apply role‑based access control (RBAC) and minimize the number of high‑privileged accounts.
- Regularly review and remove unused or stale administrative accounts.
- Isolate SD‑WAN control and management planes from general user and server networks.
- Limit lateral movement paths into SD‑WAN controllers and managers.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.rapid7.com/blog/post/etr-critical-cisco-catalyst-vulnerability-exploited-in-the-wild-cve-2026-20127/
- https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html
- https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.