🚨 CRITICAL ALERT: Active Zero-Day Exploits
CVE-2026-20127 is a CVSS 10.0 authentication-bypass vulnerability in Cisco Catalyst SD-WAN Controller, Manager, and Validator that allows an unauthenticated remote attacker to bypass peering authentication, gain administrative access, and manipulate SD-WAN fabric configuration through NETCONF. Cisco Talos reports active exploitation, and CISA has listed the issue in KEV, making this an immediate enterprise priority.[5][7][8]
Critical Vulnerabilities (CVSS >= 8.0)
- CVE-2026-20127 (CVSS: 10.0): A vulnerability in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller, Cisco Catalyst SD-WAN Manager, and Cisco Catalyst SD-WAN Validator can let an unauthenticated, remote attacker bypass authentication and obtain administrative privileges on an affected system. An attacker can send crafted requests, log in as an internal high-privileged non-root user account, access NETCONF, and alter SD-WAN fabric configuration. This issue is actively exploited and is included in CISA KEV. View NVD | CISA KEV
âš¡ Immediate Actions Required
Patch immediately to the vendor-fixed release for every affected Cisco Catalyst SD-WAN Controller, Manager, and Validator instance, including on-prem and hosted deployments. Cisco states there is no complete workaround, so mitigation depends on upgrading to a fixed version as soon as possible.[3][4][7]
Hunt for compromise now: review SD-WAN logs for unexpected peering control connections, especially vManage-related peering events, and validate timestamps, source IPs, peer types, and change windows against approved activity. Treat any unapproved peering event as a potential initial-access attempt.[5]
Prioritize containment if compromise is suspected: isolate affected management interfaces, rotate credentials and secrets used for SD-WAN administration, and verify NETCONF access paths and configuration integrity across the fabric. Monitor for malicious user account creation, unusual root activity, and evidence of post-exploitation persistence.[5]