By Dark Reading
Publication Date: 2026-02-26 21:45:00
Cisco revealed today that a critical zero-day vulnerability in its Catalyst SD-WAN Controller has been exploited in the wild for “at least three years.”
The vulnerability, tracked as CVE-2026-20127, is an authentication bypass flaw with a maximum CVSS score of 10. An attacker can send crafted requests to vulnerable systems and log into the controllers as an internal, high-privileged, non-root user, according to Cisco’s security advisory.
In disclosing the zero-day, Cisco warned of “limited exploitation” in the wild. On the same day, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive that requires federal civilian executive branch (FCEB) agencies to patch CVE-2026-20127 — along with a second, older Catalyst SD-WAN flaw tracked as CVE-2022-20775 — by Friday. CISA typically gives FCEB agencies two weeks to patch vulnerabilities that have been exploited in the wild but will sometimes issue emergency directives with tighter deadlines to patch…
