A zero-day security vulnerability is being exploited in ongoing attacks, posing a “significant cyber threat targeting federal networks utilizing certain Cisco systems and software,” according to U.S. Cybersecurity and Infrastructure Security Agency. Here’s what all enterprises need to know about CVE-2026-20127, that impacts users of the Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, that can allow a remote hacker to bypass authentication and obtain admin privileges.
Cisco Authentication Bypass Vulnerability Confirmed, Immediate Action Required
When Cisco confirms a zero-day vulnerability with a Common Vulnerability Scoring System severity rating of 10, you need to sit up and pay attention. With attacks already known to be underway, as the CISA issues an emergency directive and warns that immediate action is required, you know this is serious, to say the least.
It only seems like a minute since I reported on a Cisco zero-day exploit, which, at the time, had no fix available. Luckily, this time around, there is one, and I recommend you apply it as quickly as your risk assessments allow. As, indeed, does CISA, more of which in a moment. But first, here is what Cisco itself has to say about CVE-2026-20127: “This vulnerability exists because the peering authentication mechanism in an affected system is not working properly.” Erm, a popular saying involving a fictional pipe-smoking British detective and bodily functions springs to mind, but let’s continue. “A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account.” Yep, it’s that serious. All that is required is for the attacker to send malicious requests to any system at risk. “Using this account, the attacker could access NETCONF,” Cisco has confirmed, “which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”
“CVE-2026-20127 is one of the most serious vulnerabilities that have been discovered recently,” Natalie Page, head of threat intelligence at Talion, said, “and it’s concerning it has gone completely unnoticed by Cisco for so many years, especially given that threat actors have already been actively exploiting the flaw.” Ah yes, I forgot to mention that this vulnerability has, according to Cisco itself, been exploited by attackers since at least 2023.
“Organizations must act today,” Page continued. “They should conduct threat hunting to understand if attackers have already exploited the vulnerability within their own environments and they should follow Cisco’s hardening guide.” System admins should also audit /var/log/auth.log for any entries containing “Accepted public key for vmanage-admin” that are from unknown IP addresses.
CISA Issues Emergency Directive To Secure Cisco Systems
Meanwhile, as mentioned earlier, CISA has issued an emergency directive in response to the Cisco zero-day. The February 25 directive is aimed at all organizations with Cisco Software-Defined Wide-Area Networking systems, including the Federal Civilian Executive Branch agencies that just respond within mandatory timeframes, as the exploitation of CVE-2026-20127 is confirmed.
“CISA and partners have observed malicious cyber actors targeting and compromising Cisco SD-WAN systems of organizations, globally,” the directive stated. These attacks have enabled the hackers to establish long-term persistence in those systems.
The highly unusual “Immediate Action Required” statement from CISA is, therefore, understandable in the circumstances and should not be ignored. CISA has recommended that all network defenders do the following:
- Ensure control components are behind a firewall, isolate virtual private network512 interfaces, and use Internet Protocol blocks for manually provisioned edge IPs.
- Replace the self-signed certificate for the web user interface.
- Use pairwise keys.
- Limit session timeouts to the shortest period possible.
- Forward logs to a remote syslog server.
“The exploitation of a CVSS 10.0 pre-authentication RCE in Cisco Systems SD-WAN should be setting off serious alarms,” Sylvain Cortes, vice president of strategy at Hackuity, told me. “This is not a routine patching issue; it’s a direct route to administrative control of core network infrastructure and, potentially, full network compromise.” So, what are you waiting for? Start taking steps to combat these attacks now. “With confirmed active exploitation,” Cortes concluded, “it’s reasonable to assume both opportunistic scanning and targeted attacks are already in play.”
Cisco has confirmed that it has released software updates that address CVE-2026-20127, and there are “no workarounds that address this vulnerability.”
