CVE-2026-20127: Cisco Catalyst SD-WAN Controller/Manager Zero-Day Authentication Bypass Vulnerability Exploited in the Wild

Blog / Cyber Exposure Alerts Subscribe CVE-2026-20127: Cisco Catalyst SD-WAN Controller/Manager Zero-Day Authentication Bypass Vulnerability Exploited in the Wild Scott Caveza February 25, 2026 6 Min Read Exploitation of a maximum severity authentication bypass zero-day vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager has been reported. Immediate patching is recommended to thwart ongoing attacks. Key takeaways: CVE-2026-20127 is an Authentication Bypass Vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager. Patches have been released and no workarounds are currently available.   Exploitation in the wild has been observed for this zero-day by a threat actor tracked as UAT-8616.   Multiple government agencies have issued alerts on this active exploitation and multiple publications include threat hunting guidance for devices that may have been compromised. Change log Update March 5: This blog has been updated to include a reference to CVE-2026-20128 and CVE-2026-20122, two additional SD-WAN Manager vulnerabilities that Cisco has confirmed have been exploited in the wild. Click here to review the change history Background On February 25, Cisco released a security advisory (cisco-sa-sdwan-rpa-EHchtZk) to address a maximum severity severity authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly known as SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. CVE Description CVSSv3 CVE-2026-20127 Cisco Catalyst SD-WAN Controller/Manager Authentication Bypass Vulnerability 10.0 On March 5, Cisco updated security advisory (cisco-sa-sdwan-authbp-qwCX8D4v) to note that two of the CVEs addressed in the advisory have been found to have been exploited in the wild. CVE Description CVSSv3 CVE-2026-20122 Cisco Catalyst SD-WAN Manager Arbitrary File Overwrite Vulnerability  7.1 CVE-2026-20128 Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability 5.5 Analysis CVE-2026-20127 is a critical severity authentication bypass vulnerability in Cisco’s Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted requests to an affected system, allowing them to log into an affected device as a high-privileged user. Using this access, the attacker could modify network configurations for the SD-WAN fabric. According to the advisory, this vulnerability has been exploited in the wild in limited attacks. The advisory further clarifies that this flaw affects vulnerable versions regardless of the device's configuration and no workaround steps are available, however temporary mitigation guidance is available in the security advisory. CISA releases an Emergency Directive for CVE-2026-20127 Coinciding with the release of the security advisory for CVE-2026-20127, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released emergency directive (ED) 26-03 titled Mitigate Vulnerabilities in Cisco SD-WAN Systems. The ED directs Federal Civilian Executive Branch (FCEB) agencies to take immediate action to identify any Cisco Software-Defined Wide-Area Networking (SD-WAN) systems. The ED notes that CVE-2026-20127 and CVE-2022-20775, a privilege escalation vulnerability affecting SD-WAN devices, pose imminent risk to federal networks. While the ED applies to FCEB agencies, any users who have not yet mitigated their SD-WAN devices for either of these CVEs should take immediate action as threat actors have been observed exploiting these vulnerabilities. As ongoing exploitation has been observed, Cisco’s security advisory does include indicators of compromise which can aid defenders in identifying if their device has been compromised. Nation state-sponsored actors, including Salt Typhoon and Volt Typhoon have been known for past exploitation of Cisco devices, so it’s imperative that immediate action is taken to remediate these vulnerabilities. In addition to CISA, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) also released an alert warning of exploitation of CVE-2026-20127. The ACSC was credited in the Cisco security advisory for reporting the flaw to Cisco and the ACSC alert also includes a threat hunting guide co-authored by multiple agencies including CISA, the National Security Agency (NSA), the Canadian Centre for Cyber Security (Cyber Centre), the New Zealand National Cyber Security Centre (NCSC-NZ) and the United Kingdom National Cyber Security Centre (NCSC-UK). Exploitation attributed to UAT-8616 While the alerts from the government agencies and Cisco's security advisory did not provide attribution for the attacks targeting CVE-2026-20127, Cisco’s Talos threat intelligence team released a blog attributing the threat activity to UAT-8616. Cisco Talos notes that UAT-8616 is assessed “with high confidence” as “a highly sophisticated cyber threat actor.” The blog by Cisco Talos includes guidance for investigating compromised devices as well as details the exploitation activity that they have observed. Cisco announces additional SD-WAN vulnerabilities have been exploited In an update to security advisory cisco-sa-sdwan-authbp-qwCX8D4v, Cisco noted that CVE-2026-20122 and CVE-2026-20128 have been exploited in the wild. While the advisory did not link the exploitation of these flaws to any threat actor, the timing of these updates, just a week after the disclosure of CVE-2026-20127, immediate patching is recommended to ensure protection from these flaws. Proof of concept At the time this blog was published on February 25, no public proof-of-concept (PoC) exploit had been identified. We anticipate that if a PoC is released, additional attackers will begin to leverage the exploit to conduct mass scanning and exploitation against vulnerable devices. Solution Cisco has released patches for affected versions of Cisco Catalyst SD-WAN devices as outlined in the table below. Note that these fixed versions address CVE-2026-20127, CVE-2026-20122 and CVE-2026-20128 as well as additional vulnerabilities that have not been exploited : Affected Version Fixed Version Versions prior to 20.9 Migrate to a fixed release 20.9 20.9.8.2 (Estimated to be released on February 27) 20.11 20.12.6.1 20.12.5 20.12.5.3 20.12.6 20.12.6.1 20.13 20.15.4.2 20.14 20.15.4.2 20.15 20.15.4.2 20.16 20.18.2.1 20.18 20.18.2.1 The advisory notes that versions 20.11, 20.13, 20.14, 20.16 and versions prior to 20.9 have reached their end of maintenance and customers should upgrade to a supported release. Identifying affected systems A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-20127, CVE-2022-20775, CVE-2026-20122 and CVE-2026-20128 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline. Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Cisco Catalyst SD-WAN devices by using the following query: Document Title contains Cisco Catalyst SD-WAN   Get more information Cisco cisco-sa-sdwan-rpa-EHchtZk Security Advisory Cisco cisco-sa-sd-wan-priv-E6e8tEdF Security Advisory Cisco cisco-sa-sdwan-authbp-qwCX8D4v Security Advisory CISA ED 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems Australian Signals Directorate’s Australian Cyber Security Centre Alert: Exploitation of Cisco SD-WAN appliances Cisco Talos: Active exploitation of Cisco Catalyst SD-WAN by UAT-8616 Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats. Learn more about Tenable One, the Exposure Management Platform for the modern attack surface. Scott Caveza Senior Staff Research Engineer, Research Special Operations Scott joined Tenable in 2012 as a Research Engineer on the Nessus Plugins team. Over the years, he has written hundreds of plugins for Nessus, and reviewed code for even more from his time being a team lead and manager of the Plugins team. Previously leading the Security Response team and the Zero Day Research team, Scott is currently a member of the Research Special Operations team, helping the research organization respond to the latest threats. He has over a decade of experience in the industry with previous work in the Security Operations Center (SOC) for a major domain registrar and web hosting provider. Scott is a current CISSP and actively maintains his GIAC GWAPT Web Application Penetration Tester certification. Interests outside of work: Scott enjoys spending time with his family, camping, fishing and being outdoors. He also enjoys finding ways to break web applications and home renovation projects. Related articles March 16, 2026 Don't confuse asset inventory with exposure management Asset discovery tells you what IT exists in your environment. Exposure management tells you what will get you breached. If your platform can't connect vulnerabilities, identities, misconfigurations, and AI systems into real attack paths, you don't have exposure management. You have inventory. By Nathan Dyer March 11, 2026 Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury In the wake of Operation Epic Fury, digital attacks have shifted from quiet espionage to a loud, coordinated campaign of economic and physical retaliation. In response, the Tenable Research Special Operations (RSO) team is examining the latest threats and cyber operations linked to Iranian threat… Research Special Operations March 10, 2026 Microsoft’s March 2026 Patch Tuesday Addresses 83 CVEs (CVE-2026-21262, CVE-2026-26127) Microsoft addresses 83 CVEs including two vulnerabilities that were publicly disclosed prior to a patch being released. Research Special Operations Exposure Management Tenable Attack Surface Management Tenable Lumin Tenable Nessus Tenable Nessus Network Monitor Tenable One Tenable Security Center Tenable Security Center Plus Tenable Vulnerability Management Cybersecurity news you can use Enter your email and never miss timely alerts and security guidance from the experts at Tenable. Email Address Submit