Cisco is warning {that a} vital authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day assaults that allowed distant attackers to compromise controllers and add malicious rogue friends to focused networks.
CVE-2026-20127 has a most severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (previously vSmart) and Cisco Catalyst SD-WAN Supervisor (previously vManage) in on-prem and SD-WAN Cloud installations.
Cisco credited the Australian Indicators Directorate’s Australian Cyber Safety Centre (ASD’s ACSC) for reporting the vulnerability.
In an advisory revealed immediately, Cisco mentioned the problem stems from a peering authentication mechanism that “isn’t working correctly.”
“This vulnerability exists as a result of the peering authentication mechanism in an affected system isn’t working correctly. An attacker might exploit this vulnerability by sending crafted requests to an affected system,” reads the Cisco CVE-2026-20127 advisory.
“A profitable exploit might enable the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an inside, high-privileged, non-root consumer account. Utilizing this account, the attacker might entry NETCONF, which might then enable the attacker to govern community configuration for the SD-WAN material.”
Cisco Catalyst SD-WAN is a software-based networking platform that connects department workplaces, information facilities, and cloud environments by a centrally managed system. It makes use of a controller to securely route site visitors between websites over encrypted connections.
By including a rogue peer, an attacker can insert a malicious machine into the SD-WAN setting that seems authentic. That machine might then set up encrypted connections and promote networks underneath the attacker’s management, doubtlessly permitting them to maneuver deeper into the group’s community.
A separate advisory from Cisco Talos says the flaw was actively exploited in assaults and is monitoring the malicious exercise underneath “UAT-8616,” which it assesses with excessive confidence was performed by a extremely refined menace actor.
Talos stories that its telemetry reveals exploitation dates again to at the least 2023, with intelligence companions stating the menace actor doubtless escalated to root by downgrading to an older software program model, exploiting CVE-2022-20775 to achieve root entry, after which restoring the unique firmware model.
By reverting to the unique model after exploitation, the attacker might acquire root entry whereas evading detection.
The exploitation was disclosed in coordinated advisories between Cisco and the U.S. and UK authorities.
On February 25, 2026, CISA issued Emergency Directive 26-03 requiring Federal Civilian Govt Department businesses to stock Cisco SD-WAN programs, gather forensic artifacts, guarantee exterior log storage, apply updates, and examine potential compromises tied to CVE-2026-20127 and CVE-2022-20775.
CISA mentioned the exploitation poses an imminent menace to federal networks and that units have to be patched by 5:00 PM ET on February 27, 2026.
A joint hunt and hardening information from CISA and the UK’s Nationwide Cyber Safety Centre warned that malicious actors are focusing on Cisco Catalyst SD-WAN deployments globally so as to add rogue friends, then conduct follow-on actions to attain root entry and preserve persistent management.
The advisories stress that SD-WAN administration interfaces mustn’t ever be uncovered to the web and urges organizations to right away replace and harden affected programs.
“Our new alert makes clear that organisations utilizing Cisco Catalyst SD-WAN merchandise ought to urgently examine their publicity to community compromise and hunt for malicious exercise, making use of the brand new menace searching recommendation produced with our worldwide companions to determine proof of compromise,” mentioned Ollie Whitehouse, NCSC CTO, in a press release shared with BleepingComputer.
“UK organisations are strongly suggested to report compromises to the NCSC, and to use vendor updates and hardening steering as quickly as practicable to scale back the chance of exploitation.”
Cisco has launched software program updates to deal with the vulnerability and says there are not any workarounds that absolutely mitigate the problem.
Indicators of compromise
Cisco and Talos are urging organizations to fastidiously assessment logs on any internet-exposed Catalyst SD-WAN Controller programs for indicators of unauthorized peering occasions and suspicious authentication exercise.
The corporate recommends admins audit /var/log/auth.log for entries displaying “Accepted publickey for vmanage-admin” from unknown IP addresses:
2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY]
Directors ought to examine these IP addresses towards the configured System IPs listed within the SD-WAN Supervisor interface and towards identified administration or controller infrastructure. If an unknown IP tackle efficiently authenticated, directors ought to think about their units to be compromised and open a Cisco TAC case.
Talos and authorities advisories shared extra indicators of compromise, together with the creation and deletion of malicious consumer accounts, surprising root logins, unauthorized SSH keys within the vmanage-admin or root accounts, and adjustments that allow PermitRootLogin.
Admins must also search for unusually small or lacking log information, which can point out log tampering, and for software program downgrades and reboots, which can point out exploitation of CVE-2022-20775 to achieve root privileges.
To examine for exploitation of CVE-2022-20775, CISA recommends analyzing the next logs:
/var/risky/log/vdebug
/var/log/tmplog/vdebug
/var/risky/log/sw_script_synccdb.log
CISA’s hunt and hardening information instructs organizations to gather forensic artifacts, together with admin core dumps and consumer house directories, and to make sure logs are saved externally to stop tampering.
If a root account was compromised, businesses ought to deploy recent installs fairly than trying to scrub the present infrastructure.
Organizations must also deal with surprising peering occasions or unexplained controller exercise as potential indicators of compromise and examine them instantly.
Each CISA and the UK NCSC suggest proscribing community publicity, putting SD-WAN management elements behind firewalls, isolating administration interfaces, forwarding logs to exterior programs, and making use of Cisco’s hardening steering.
Cisco strongly recommends upgrading to a hard and fast software program launch as the one technique to remediate CVE-2026-20127 fully.
Trendy IT infrastructure strikes sooner than handbook workflows can deal with.
On this new Tines information, learn the way your staff can cut back hidden handbook delays, enhance reliability by automated response, and construct and scale clever workflows on prime of instruments you already use.
