Cisco is warning {that a} important authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day assaults that allowed distant attackers to compromise controllers and add malicious rogue friends to focused networks.
CVE-2026-20127 has a most severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (previously vSmart) and Cisco Catalyst SD-WAN Supervisor (previously vManage) in on-prem and SD-WAN Cloud installations.
Cisco credited the Australian Indicators Directorate’s Australian Cyber Safety Centre (ASD’s ACSC) for reporting the vulnerability.
In an advisory printed right this moment, Cisco mentioned the problem stems from a peering authentication mechanism that “is not working properly.”
“This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system,” reads the Cisco CVE-2026-20127 advisory.
“A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”
Cisco Catalyst SD-WAN is a software-based networking platform that connects department places of work, information facilities, and cloud environments by way of a centrally managed system. It makes use of a controller to securely route site visitors between websites over encrypted connections.
By including a rogue peer, an attacker can insert a malicious machine into the SD-WAN surroundings that seems official. That machine may then set up encrypted connections and promote networks beneath the attacker’s management, probably permitting them to maneuver deeper into the group’s community.
A separate advisory from Cisco Talos says the flaw was actively exploited in assaults and is monitoring the malicious exercise beneath “UAT-8616,” which it assesses with excessive confidence was performed by a extremely refined risk actor.
Talos stories that its telemetry exhibits exploitation dates again to at the very least 2023, with intelligence companions stating the risk actor possible escalated to root by downgrading to an older software program model, exploiting CVE-2022-20775 to realize root entry, after which restoring the unique firmware model.
By reverting to the unique model after exploitation, the attacker may get hold of root entry whereas evading detection.
The exploitation was disclosed in coordinated advisories between Cisco and the U.S. and UK authorities.
On February 25, 2026, CISA issued Emergency Directive 26-03 requiring Federal Civilian Government Department companies to stock Cisco SD-WAN methods, acquire forensic artifacts, guarantee exterior log storage, apply updates, and examine potential compromises tied to CVE-2026-20127 and CVE-2022-20775.
CISA mentioned the exploitation poses an imminent risk to federal networks and that units have to be patched by 5:00 PM ET on February 27, 2026.
A joint hunt and hardening information from CISA and the UK’s Nationwide Cyber Safety Centre warned that malicious actors are focusing on Cisco Catalyst SD-WAN deployments globally so as to add rogue friends, then conduct follow-on actions to attain root entry and preserve persistent management.
The advisories stress that SD-WAN administration interfaces mustn’t ever be uncovered to the web and urges organizations to instantly replace and harden affected methods.
“Our new alert makes clear that organisations utilizing Cisco Catalyst SD-WAN merchandise ought to urgently examine their publicity to community compromise and hunt for malicious exercise, making use of the brand new risk searching recommendation produced with our worldwide companions to determine proof of compromise,” mentioned Ollie Whitehouse, NCSC CTO, in an announcement shared with BleepingComputer.
“UK organisations are strongly advised to report compromises to the NCSC, and to apply vendor updates and hardening guidance as soon as practicable to reduce the risk of exploitation.”
Cisco has launched software program updates to handle the vulnerability and says there are not any workarounds that absolutely mitigate the problem.
Indicators of compromise
Cisco and Talos are urging organizations to rigorously evaluation logs on any internet-exposed Catalyst SD-WAN Controller methods for indicators of unauthorized peering occasions and suspicious authentication exercise.
The corporate recommends admins audit /var/log/auth.log for entries exhibiting “Accepted publickey for vmanage-admin” from unknown IP addresses:
2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY]Directors ought to evaluate these IP addresses in opposition to the configured System IPs listed within the SD-WAN Supervisor interface and in opposition to recognized administration or controller infrastructure. If an unknown IP tackle efficiently authenticated, directors ought to think about their units to be compromised and open a Cisco TAC case.
Talos and authorities advisories shared further indicators of compromise, together with the creation and deletion of malicious consumer accounts, sudden root logins, unauthorized SSH keys within the vmanage-admin or root accounts, and modifications that allow PermitRootLogin.
Admins must also search for unusually small or lacking log recordsdata, which can point out log tampering, and for software program downgrades and reboots, which can point out exploitation of CVE-2022-20775 to realize root privileges.
To test for exploitation of CVE-2022-20775, CISA recommends analyzing the next logs:
/var/unstable/log/vdebug
/var/log/tmplog/vdebug
/var/unstable/log/sw_script_synccdb.log CISA’s hunt and hardening information instructs organizations to gather forensic artifacts, together with admin core dumps and consumer house directories, and to make sure logs are saved externally to stop tampering.
If a root account was compromised, companies ought to deploy recent installs slightly than trying to scrub the prevailing infrastructure.
Organizations must also deal with sudden peering occasions or unexplained controller exercise as potential indicators of compromise and examine them instantly.
Each CISA and the UK NCSC suggest proscribing community publicity, putting SD-WAN management elements behind firewalls, isolating administration interfaces, forwarding logs to exterior methods, and making use of Cisco’s hardening steerage.
Cisco strongly recommends upgrading to a set software program launch as the one solution to remediate CVE-2026-20127 utterly.
Fashionable IT infrastructure strikes quicker than handbook workflows can deal with.
On this new Tines information, learn the way your group can scale back hidden handbook delays, enhance reliability by way of automated response, and construct and scale clever workflows on prime of instruments you already use.
