By Guru Baran
Publication Date: 2026-02-26 01:51:00
Cisco has disclosed a critical zero-day vulnerability in its Catalyst SD-WAN products that threat actors have exploited since 2023 to bypass authentication and achieve root access.
Tracked as CVE-2026-20127, the flaw affects core networking components and prompts urgent patching amid active attacks.sec.cloudapps.
CVE-2026-20127 stems from a flaw in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage).
An unauthenticated remote attacker can send crafted requests to bypass checks, logging in as a high-privileged, non-root internal user account.
This access enables NETCONF manipulation, allowing changes to the entire SD-WAN fabric’s network configuration, such as adding rogue peers or altering routing.
The vulnerability carries a CVSS v3.1 base score of 10.0 (Critical), with attack vector Network, low complexity, no…
