CVE-2026-20127 is a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager components. The vulnerability carries a CVSS score of 10, reflecting that no privileges or user interaction are required, meaning exploitation of a single component can impact the broader SD-WAN fabric. Cisco has confirmed active exploitation in the wild, and the vulnerability has been added to the Known Exploited Vulnerabilities catalog following coordinated Five Eyes guidance.

Public reporting indicates exploitation activity dating back to at least 2023. Observed campaigns combined this zero-day with CVE-2022-20775, a previously patched CLI privilege escalation flaw, to achieve root-level persistence. The exploitation chain combines this zero-day with an older privilege escalation flaw (CVE-2022-20775, CVSS 7.8) to achieve full root-level persistent access to SD-WAN control plane infrastructure. The exploitation chain demonstrates a structured and deliberate approach to infrastructure compromise rather than opportunistic scanning.

Because SD-WAN controllers distribute routing and policy decisions across enterprise WAN overlays, compromise at this layer creates network-wide risk. Organizations operating Cisco Catalyst SD-WAN environments should treat this as a high-priority remediation event.

Technical overview

• Vulnerability: Improper authentication in the Cisco Catalyst SD-WAN peering authentication mechanism allowing crafted requests to bypass trust validation
• CVE: CVE-2026-20127
• Vulnerability profile: CWE-287 Improper Authentication; CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
• Impact: Remote unauthenticated administrative access enabling control-plane manipulation and potential fabric-wide compromise
• Affected versions: Cisco Catalyst SD-WAN Controller and Manager releases prior to 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1
• Affected deployments: On-premises deployments, Cisco Hosted SD-WAN Cloud, Cisco Managed Cloud, and FedRAMP environments. Note: Mitigations for cloud-hosted and FedRAMP deployments are already in place
• Snort SIDs: 65938, 65958
• Severity: CVSS 10.0 Critical
• Fix: Upgrade to vendor-specified fixed releases; no complete workaround exists

Timeline

• 2023: Exploitation activity observed in the wild by international partners
• February 25, 2026: Public disclosure of CVE-2026-20127 and coordinated advisory publication
• February 25, 2026: CISA adds the vulnerability to the Known Exploited Vulnerabilities catalog and issues joint guidance
• February 27, 2026: Emergency remediation deadline issued for federal agencies
• February 25-27 2026: Fixed software releases published for affected trains

Exposure risk

Cisco Catalyst SD-WAN Controllers and Managers sit at the center of the overlay control plane, establishing trust relationships between vSmart controllers, vManage managers, vBond validators, and edge routers. These systems exchange routing and policy information over SSH on port 22 and NETCONF on port 830.

In properly segmented environments, these interfaces are not directly internet facing. However, exposure frequently occurs through operational convenience, temporary migration states, hybrid cloud connectivity, or misconfigured firewall policies. Any environment where control-plane ports are reachable from untrusted networks is directly exploitable.

Because authentication is not required, exploitation depends entirely on network reachability. Internal segmentation does not mitigate risk if an attacker has already gained foothold access to the management plane.

Note: Mitigations for cloud-hosted and FedRAMP deployments are already in place. For environments with multiple SD-WAN deployments, investigations of cloud deployment should be deprioritized.

Impact assessment

Compromise of an SD-WAN controller is materially different from compromise of an endpoint. Controllers govern routing policy, segmentation rules, security policy distribution, and device enrollment. An attacker with administrative access can:

• Modify routing across all connected branch sites
• Redirect or mirror traffic
• Inject or alter security policies
• Introduce rogue control-plane peers
• Stage firmware changes across distributed infrastructure

The CVSS scope change classification reflects this architecture reality. The impact extends beyond the vulnerable node into the entire WAN fabric.

Forensic challenges

Observed campaigns included deliberate log deletion under /var/log, removal of command history, and restoration of downgraded firmware to obscure exploitation artifacts. Because attackers used legitimate management protocols such as NETCONF and SSH, malicious activity may appear as standard administrative behavior.

Organizations that do not forward SD-WAN logs to external systems may have limited forensic visibility. Unexpected version changes, unusually small log files, or missing control-connection events should be treated as potential indicators of compromise.

Exploitability analysis

CISA and international partners have confirmed ongoing global exploitation of CVE-2026-20127. Exploitation was observed prior to public disclosure and appears to have been conducted by a structured threat actor designated UAT-8616 in public reporting.

No public proof-of-concept exploit has been released. However, authentication bypass vulnerabilities in network-reachable management components are typically low complexity to weaponize once patch diffs are analyzed.

The initial access vector appears technically straightforward. However, the full exploitation chain demonstrates advanced operational planning. Automation likelihood is high for exposed systems during the initial bypass stage. The chained exploitation and downgrade technique suggest a targeted rather than indiscriminate campaign.

Threat landscape context

This incident reflects a broader trend of targeting network infrastructure as a persistence layer. Controllers, VPN concentrators, and SD-WAN management platforms represent durable access points with privileged visibility into enterprise traffic flows.

The downgrade-exploit-restore sequence observed in this campaign demonstrates a method designed to evade traditional patch-based detection assumptions. By restoring the original software version after root escalation, attackers reduce visible evidence of exploitation.

Use of legitimate management protocols further complicates detection. Traffic over NETCONF and SSH is expected behavior within SD-WAN environments, making anomaly-based detection critical.

Technical breakdown

Technical root cause

The vulnerability resides in the SD-WAN peering authentication mechanism responsible for validating trust relationships between control-plane components. The mechanism failed to enforce strict authentication validation for certain crafted requests, allowing an attacker to impersonate a legitimate peer without valid credentials or enrollment artifacts.

This is a failure at a trust boundary. The peering mechanism exists specifically to prevent unauthorized control-plane membership. Improper enforcement collapses that boundary.

if request.is_peering_request():
    process_request(request)
else:
    if authenticate(request):
        process_request(request)

‍

In this pattern, certain request paths reach privileged processing without mandatory authentication enforcement.

Corrected logic enforces authentication globally:

if not authenticate(request):
    return error("unauthorized")

process_request(request)

‍

Observed attack chain of UAT-8616

Public reporting describes a multi-stage exploitation sequence:

1. Authentication bypass via CVE-2026-20127
   Crafted peering requests grant access as a high-privileged internal user.
2. Rogue peer injection
   The attacker adds a malicious control-plane peer to the SD-WAN fabric.
3. Software downgrade
   Using legitimate update mechanisms, the actor downgrades firmware to a version vulnerable to CVE-2022-20775.
4. Root escalation
   Exploitation of the CLI path traversal flaw enables arbitrary command execution as root.
5. Version restoration and persistence
   The system is restored to the original version. SSH keys are added, accounts created, and startup scripts modified to ensure continued access.
6. Log tampering and evasion
   Authentication logs and history files are purged to obscure activity.
7. Lateral movement
   Compromised controllers are used as pivot points into broader network segments.

This chain demonstrates layered exploitation, operational awareness of detection controls, and deep familiarity with SD-WAN internals.

Role of CVE-2022-20775

While this vulnerability was patched in 2022, UAT-8616's attack chain deliberately circumvents this by downgrading the SD-WAN software to a version where the patch is not present. The attacker uses the administrative access gained via CVE-2026-20127 to trigger a software version rollback through the legitimate update mechanism, exploits CVE-2022-20775 to escalate to root, and then restores the original (patched) version. This approach is notable for its operational security, the final state of the device shows a patched software version, masking the fact that exploitation occurred during a transient downgrade window.

Detection queries

The following examples illustrate detection approaches. Queries should be adapted to local logging formats.

Detect new control-plane peering events:

index=network sourcetype=cisco:sdwan "control-connection-state-change" "new-state:up" "peer-type:vmanage"
| rex field=_raw "peer-system-ip:(?<peer_system_ip>\S+)"
| rex field=_raw "public-ip:(?<public_ip>\S+)"
| where NOT cidrmatch("10.0.0.0/8", public_ip)
  AND NOT cidrmatch("172.16.0.0/12", public_ip)
  AND NOT cidrmatch("192.168.0.0/16", public_ip)
| table _time, host, peer_system_ip, public_ip

‍

Detect suspicious public key authentication:

index=network sourcetype=cisco:sdwan "Accepted publickey for vmanage-admin"
| rex field=_raw "from (?<src_ip>\S+) port"
| lookup known_sdwan_ips ip AS src_ip OUTPUT is_known
| where isnull(is_known) OR is_known!="true"
| table _time, host, src_ip

‍

Detect downgrade artifacts:

index=network sourcetype=cisco:sdwan
("Software upgrade not confirmed"
 OR "revert to previous software version"
 OR "Waiting for upgrade confirmation from user")
| table _time, host, _raw

‍

Investigate CLI path traversal indicators related to CVE-2022-20775:

index=network sourcetype=cisco:sdwan ("/../../" OR "/\n&../\n&../")
| table _time, host, _raw

‍

Detect unexpected version changes:

index=network sourcetype=cisco:sdwan "version"
| stats latest(version) as current_version by host

‍

Recommended actions

Organizations should treat SD-WAN control components as critical infrastructure assets. The response posture should prioritize patching, artifact preservation, exposure reduction, and compromise assessment.

Immediate actions

• Inventory all SD-WAN controllers and managers
• Capture forensic artifacts before patching
• Restrict port 22 and 830 exposure to trusted IP ranges
• Upgrade to fixed software releases:
  
  • Releases prior to 20.9: Migrate to a supported fixed release
  • 20.9: Upgrade to 20.9.8.2
  • 20.12.5/20.12.6: Upgrade to 20.12.5.3 or 20.12.6.1
  • 20.15: Upgrade to 20.15.4.2
  • 20.18: Upgrade to 20.18.2.1
  • Releases 20.11, 20.13, 20.14, 20.16 have reached end-of-maintenance; migrate to a supported release.

Short term actions

• Review authentication and control-connection logs for anomalies
• Investigate unexpected version changes or reboot events
• Audit peer configurations for unauthorized additions
• Inspect SSH authorized keys and local accounts

Long term actions

• Enforce strict management plane segmentation
• Deploy firewall allowlists limiting controller communication
• Forward logs to an external SIEM with retention controls
• Monitor for configuration drift and version changes

If compromise confirmed

• Rebuild affected controllers from clean, patched images
• Do not attempt in-place remediation of root-compromised systems
• Rotate administrative credentials and replace SSH keys
• Re-establish trust relationships between controllers and edge devices
• Conduct broader network investigation for lateral movement

‍