Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos

VULNERABILITIES & THREATS CYBERSECURITY OPERATIONS ENDPOINT SECURITY REMOTE WORKFORCE NEWS Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos The excitement around Cisco's latest SD-WAN bugs has inspired some light fraud, misunderstandings, and overlooked potential hazards. Nate Nelson,Contributing Writer March 13, 2026 5 Min Read SOURCE: ARCADEIMAGES VIA ALAMY STOCK PHOTO Amid a stream of new vulnerabilities in Cisco's Catalyst SD-WAN Manager, some researchers are arguing that organizations have misplaced their focus, hyperfixating on one critical vulnerability with a lot of noise around it, but overlooking another, quieter bug that's just as serious. On Feb. 25, Cisco publicly disclosed half a dozen newfound bugs in its Software-Defined Wide Area Network (SD-WAN) management product. At least three have been exploited in the wild. One, CVE-2026-20127, in addition to earning the highest possible 10 out of 10 score in the Common Vulnerability Scoring System (CVSS), appears to have been exploited as a zero-day by one threat actor for at least three years. In that light, it's no wonder that CVE-2026-20127 attracted as much attention as it has. And yet, some other reasons for concern have been less well-founded. Researchers at VulnCheck found that public proof-of-concept (PoC) exploits for this issue have been a mixed bag: some are outright fake, some are misleading, and all are rather confusing for organizations trying to keep up. And with all the oxygen being taken up by CVE-2026-20127, they argued in a blog post, there's another vulnerability in the mix that's not getting as much attention as it should: CVE-2026-20133. Related:Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical CVE-2026-20127 vs. CVE-2026-20133 Though CVE-2026-20127 is certainly worth time and attention, VulnCheck's researchers found that CVE-2026-20133 can also be used to interesting effect. This less heralded issue is an information-disclosure bug that earned a high-severity 7.5 out of 10 CVSS score. It isn't known to have been exploited in the wild yet. When the researchers played around with CVE-2026-20133, they found that the file system access it affords allowed them to grab the private key associated with the default "vmanage-admin" user. That key allowed them to compromise the Network Configuration Protocol (NETCONF) used to configure and manage SD-WAN devices. They also leaked a shared secret for internal communication — "confd_ipc_secret" — which could allow any local user to escalate to root. Besides just enjoying access, attackers could use these kinds of secrets to push configuration changes to an organization's network, manipulate traffic ingress and egress, and theoretically much more. VulnCheck couldn't get a precise gauge on how many Cisco SD-WAN Managers are publicly accessible from the Internet, as different search engines returned anywhere from 275 to thousands of results. In addition to patching, organizations can consider reducing their exposure to CVE-2026-20127, CVE-2026-20133, and other vulnerabilities like them by removing their systems from the browsable Web. Related:Cisco SD-WAN Zero-Day Under Exploitation for 3 Years Don't Be Fooled by Fake PoCs Not long after Cisco's security advisory went public, a number of PoCs popped up on the Web, claiming to work against CVE-2026-20127. VulnCheck found that several were non-functional or clearly fraudulent. "Typically for these types of emerging threats, we'll see two, three, five, or more than that," says Caitlin Condon, vice president of security research at VulnCheck. "Sometimes PoCs are completely fake, or nonfunctional, or malicious. It's certainly not unusual these days to see a wave of AI-slop PoCs targeting emerging bugs. We don't see as many valid, public PoCs popping up in the first couple of days after one of these incidents is disclosed." The most interesting CVE-2026-20127 PoC was developed by GitHub user "zerozenxlabs." It wasn't fake — it did work — but it had nothing to do with the vulnerability it purported to exploit. It was, in fact, an exploit chain that stringed together three of the other new vulnerabilities in the SD-WAN Manager. According to the researchers, it combined CVE‑2026‑20128 and CVE‑2026‑20133 to access and read a credential file, then used CVE-2026-20122 in its application programming interface (API) to upload a webshell. Related:SolarWinds WHD Attacks Highlight Risks of Exposed Apps For Condon, "part of the lesson here is that we are seeing very quickly, I think, the devaluation of public PoC code as a first-class risk signal. For many organizations, there are too many critical bugs to patch — too many products and vulnerabilities to pay attention to, and be able to prioritize. Organizations are overwhelmed. And usually that emergency take-action moment is when people are saying: 'Hey, there's public PoC for this, now you really need to pay attention.' 'PoC or GTFO' has been one of the common industry adages for many years." But instead of "PoC or GTFO," she argues, organizations should focus on signs of verified exploitation in the wild. "It's very difficult to figure out, sometimes, whether fake PoCs are actually fake, because they're convincingly fake," she says. "Real-world exploitation signals have become much more important as the value of public PoCs is being diluted." Real PoCs Have Value The first verifiable, solid PoC for CVE-2026-20127 finally arrived on March 11, courtesy of a Rapid7 security researcher. As a result, VulnCheck expects real exploitation attempts in the wild to ramp up. It raises an age-old question: By publishing working PoCs, are security researchers helping cyberattackers more than they're helping defenders? "Researchers have a super important place in this ecosystem," Condon argues. "Their ability to demonstrate exploitability and validate that a vulnerability really does have real world impact is still critical. I, personally, think that is very useful in the public." To support her point, she notes that around a third of ransomware-related CVEs discovered in 2025 still have no public exploits. "But, many of them are being used by multiple ransomware groups," she says. "So the only people who have those exploits in full are adversaries, and they're continuing to be used to [great] effect. Many organizations are very nervous about exploit code being public. I understand where that comes from. However, in that type of situation, is it better for only adversaries — and often several of them — to have that exploit? I'll leave that question for readers to answer, but my position would be: no." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 VULNERABILITIES & THREATS AI Agents Fail in Novel Ways, Put Businesses at Risk by Robert Lemos, Contributing Writer MAY 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 VULNERABILITIES & THREATS NIST to Implement 'Deferred' Status to Dated Vulnerabilities by Kristina Beek, Associate Editor, Dark Reading APR 07, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE