Cisco Catalyst SD-WAN platforms are widely deployed across enterprises, governments, and service providers, often serving as the core infrastructure that links remote offices, data centers, and cloud environments. Because these controllers are frequently reachable from external networks to support distributed operations, they represent a highly visible and attractive target for threat actors.

Cisco has disclosed a critical authentication bypass vulnerability, CVE-2026-20127, affecting both the Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). The flaw carries a CVSS score of 10.0, allowing a remote, unauthenticated attacker to gain administrative-level access by sending crafted requests to an exposed system.

The vulnerability stems from a failure in the SD-WAN peering authentication process, effectively breaking a core trust mechanism in the control plane. Once exploited, an attacker can log in as an internal high-privileged (non-root) user and use NETCONF to manipulate SD-WAN fabric configuration.

Security agencies in the U.S., UK, Australia, Canada, and New Zealand have jointly confirmed active exploitation, with evidence showing that threat actors have been abusing this flaw since at least 2023. Cisco has linked the activity to a sophisticated intrusion cluster known as UAT-8616.

CISA has also added the CVE to its Known Exploited Vulnerabilities (KEV) list, emphasizing its operational impact.

Affected Products

The vulnerability affects all deployment types of Cisco Catalyst SD-WAN components, regardless of configuration:

• Cisco Catalyst SD-WAN Controller (vSmart)
• Cisco Catalyst SD-WAN Manager (vManage)
• On-prem installations
• Cisco-hosted SD-WAN cloud
• Cisco-managed cloud and FedRAMP SD-WAN cloud environments
• Access the system without authentication
• Log in as an internal high-privileged user
• Use NETCONF to change SD-WAN configuration
• Add rogue SD-WAN peers
• Position themselves for further privilege escalation (e.g., chaining with CVE-2022-20775)
• Cisco has confirmed limited but real-world exploitation of the vulnerability.
• Intelligence agencies report exploitation activity extending back to 2023.
• The threat actor UAT-8616 has used the vulnerability to add rogue peers and maintain long-term access.
• Multiple national cybersecurity centers have issued coordinated alerts and a joint SD-WAN Threat Hunt Guide.
• 20.9.8.2
• 20.12.6.1
• 20.12.5.3
• 20.15.4.2
• 20.18.2.1
• Suspicious entries in /var/log/auth.log, especially:
• Accepted publickey for vmanage-admin from unknown IPs
• Reviewing SD-WAN Manager’s device system IP lists for unexpected changes
• Place management and control components behind strict perimeter firewalls
• Isolate VPN 512 interfaces
• Restrict manually provisioned edge device IPs
• Replace self-signed certificates
• Forward logs to remote syslog

Applicable to:

There are no workarounds, and patching is required.

Technical Summary

What the attacker can do

By exploiting the broken peering authentication mechanism, an attacker can:

Because SD-WAN sits at the heart of distributed enterprise routing, unauthorized access at this layer gives attackers deep visibility and control over connected sites.

Exploitation Status

Fixed Software Versions

Cisco has released updates across all major SD-WAN software trains. Affected users must upgrade to patched releases such as:

(depends on current software branch)

Devices running versions prior to 20.9.1 must migrate to a fixed release.

Recommended Actions

1. Patch immediately

Apply the appropriate Cisco-provided update without delay. There are no supported workarounds.

2. Conduct targeted threat hunting

National agencies recommend collecting snapshots, checking logs, and reviewing indicators of compromise. Key items include:

• Suspicious entries in /var/log/auth.log, especially:
• Accepted publickey for vmanage-admin from unknown IPs
• Reviewing SD-WAN Manager’s device system IP lists for unexpected changes

3. Strengthen SD-WAN management exposure

Follow Cisco SD-WAN hardening guidance:

• Place management and control components behind strict perimeter firewalls
• Isolate VPN 512 interfaces
• Restrict manually provisioned edge device IPs
• Replace self-signed certificates
• Forward logs to remote syslog

  If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.