Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Root Access
3 min. read 
Published on
Cisco disclosed CVE-2026-20127, a critical zero-day vulnerability in Catalyst SD-WAN Controller and Manager, on February 25, 2026. Attackers exploited it since at least 2023 to bypass authentication and gain high-privileged access. Urgent patching is essential as exploitation continues in limited attacks.
Vulnerability Details
This flaw affects the peering authentication mechanism in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). An unauthenticated remote attacker sends crafted requests to bypass checks. The attacker logs in as a high-privileged, non-root internal user account.
Successful exploitation grants NETCONF access. Attackers can then alter the entire SD-WAN fabric configuration. Examples include adding rogue peers or changing routing rules. The CVSS v3.1 score is 10.0, marking it critical due to network attack vector, low complexity, no privileges needed, and no user interaction.
It impacts on-premises setups and Cisco-hosted SD-WAN Cloud environments. This covers standard, managed, and FedRAMP configurations. Cisco confirms no workarounds exist. Patches released February 25, 2026.
Exploitation History
Cisco Talos tracks the attacks as UAT-8616, a highly sophisticated threat actor. Exploitation began in 2023, targeting high-value networks like critical infrastructure. Talos discovered in-the-wild use after intelligence reports.
Attackers add rogue peers to gain persistent access. They downgrade software to exploit CVE-2022-20775, a path-traversal bug for root escalation. Versions restore afterward to hide activity. Post-compromise steps include creating mimic user accounts and adding SSH keys for root.
Incidents confirm compromises on internet-exposed management planes. Partners report real-world rogue peer additions. No public IOCs released yet. Hunt guides stress peer config and version checks.
Affected Products and Fixes
| Product | Affected Versions | Fixed Versions |
|---|---|---|
| SD-WAN Controller (vSmart) | 20.3.1 to 20.14.3, 20.15.1 | 20.14.4, 20.15.2 |
| SD-WAN Manager (vManage) | 20.3.1 to 20.14.3, 20.15.1 | 20.14.4, 20.15.2 |
Government Actions
CISA added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities Catalog on February 25, 2026. Emergency Directive 26-03 requires FCEB agencies to patch within 21 days. They must inventory systems and hunt for signs.
Australian Cyber Security Centre (ACSC) reported the flaw. Canadian Cyber Centre issued AL26-004, noting rogue peer incidents. Both urge immediate action.
Mitigation Steps
- Apply Cisco patches right away from the official advisory.
- Inventory SD-WAN deployments, especially internet-facing controllers.
- Run CLI command:
show sdwan omp peers detailto scan rogue peers. - Check NETCONF logs (port 830) for odd sessions.
- Enable logging for auth failures and version shifts.
- Reset configs if compromise found; contact Cisco TAC.
- Limit management plane access to trusted IPs.tenable+1
FAQ
A critical authentication bypass in Cisco SD-WAN peering, CVSS 10.0. Allows unauthenticated root path via crafted requests.
Send crafted requests to log in as privileged user, then use NETCONF for config changes like rogue peers.
SD-WAN Controller/Manager 20.3.1-20.14.3 and 20.15.1. Upgrade to 20.14.4 or 20.15.2.
No. Patch immediately and restrict exposure.
UAT-8616, tracked by Cisco Talos as sophisticated actor targeting critical sectors.
Prioritize inventory, patching, and hunts per CISA Directive 26-03.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages