By Ionut Arghire
Publication Date: 2026-02-26 09:18:00
Cisco on Wednesday rolled out emergency patches for a critical Catalyst SD-WAN zero-day vulnerability that has been exploited in the wild.
Tracked as CVE-2026-20127 (CVSS score of 10/10), the flaw can be exploited remotely to bypass authentication and obtain administrative privileges on a vulnerable device.
The issue affects the peering authentication mechanism of Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Catalyst SD-WAN Manager (formerly SD-WAN vManage), allowing unauthenticated, remote attackers to send crafted requests.
Successful exploitation results in the attacker logging in as “an internal, high-privileged, non-root user account”, Cisco explains in its advisory.
“Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric,” the company notes.
The security defect was addressed with the release of Cisco Catalyst SD-WAN versions 20.12.6.1, 20.12.5.3,…