External risk intelligence

Attackers can take control of Cisco SD-WAN networks by bypassing logins

CVE advisoryKnown Exploit

CVE-2026-20127

Cisco Catalyst SD-WAN controllers are vulnerable, allowing an external attacker to bypass security checks and gain full administrative access. This enables them to manipulate enterprise network settings, creating a serious risk of unauthorized traffic control or disruption across the organization.

3Halo Surface Signal

Authentication Bypass

Cisco Catalyst Sd Wan Manager

before 20.9.8.220.11 to before 20.12.5.320.13 to before 20.15.4.220.16 to before 20.18.2.120.12.6

External exposure likelihood

Halo Surface Signal score for CVE-2026-20127

Cisco SD-WAN controllers act as centralized management hubs for distributed network fabrics. While they communicate across Internet-based transport for branch connectivity, their peering and management interfaces are not typically configured for direct exposure to the public internet, usually operating within restricted tunnels or behind infrastructure access controls.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Cisco Catalyst SD-WAN could allow an attacker to bypass authentication and gain administrative control over your network. Because the system improperly handles authentication requests, an attacker can use specially crafted requests to access sensitive network configurations and make unauthorized changes. This deserves immediate attention due to the potential for widespread network disruption.

Allows remote takeover of network control.
Affects critical network management systems.
Enables unauthorized configuration changes.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can target Cisco Catalyst SD-WAN Controller or Manager systems. By sending crafted network requests, they can bypass authentication and gain administrative access. This allows them to manipulate the entire SD-WAN fabric's configuration via NETCONF.

Network access required.
Target peering authentication.
Bypasses login controls.

Live Threat

Current exploitation, exposure, and threat context

This CVE is of significant interest to attackers due to its ability to grant unauthenticated administrative privileges on Cisco SD-WAN systems, which control network configurations. The vulnerability allows an attacker to bypass authentication and gain access to NETCONF, enabling manipulation of the entire SD-WAN fabric. While the exact threat landscape is still emerging, the critical nature of the affected systems makes this a prime target.

KEV listed.
Direct administrative access.
Control over network fabric.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability allows unauthenticated remote attackers to gain administrative privileges and manipulate network configurations. Prioritize immediate investigation and mitigation for all affected Cisco Catalyst SD-WAN Controller and Manager systems. Given this is a known exploited vulnerability, focus on patching or isolation to minimize risk.

Apply Cisco security updates: 20.9.8.2, 20.12.5.3, 20.15.4.2, or 20.18.2.1 and later.
If patching is delayed, isolate affected systems from untrusted networks.
Monitor for suspicious NETCONF activity and unauthorized configuration changes.

Frequently asked questions

What are Cisco Catalyst SD-WAN Controller and Manager?

Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) are components used to manage and control software-defined wide area networks. They allow organizations to centralize the configuration and management of their network infrastructure, including connecting branch offices and managing traffic flow across the network fabric.

What is the weakness in CVE-2026-20127?

CVE-2026-20127 is a weakness classified as CWE-287, focusing on improper authentication. This means the system incorrectly verifies the identity of users or systems attempting to connect, allowing an attacker to bypass normal login procedures.

How can an attacker exploit CVE-2026-20127?

An attacker can exploit this vulnerability by sending specifically crafted requests to the affected Cisco SD-WAN systems. This can bypass the normal authentication process, granting the attacker administrative privileges without needing valid credentials. The system's peering authentication mechanism is not functioning correctly, making it susceptible to these crafted requests.

Who is most at risk from this vulnerability?

Organizations using Cisco Catalyst SD-WAN Controller or Manager systems are at risk. While these systems are not typically exposed directly to the public internet, their internal communication and management interfaces could be targeted if an attacker gains initial access to the network. The potential for administrative control over the entire SD-WAN fabric makes this a significant concern for network security.

What should I do if I run Cisco Catalyst SD-WAN?

If you are running affected Cisco Catalyst SD-WAN Controller or Manager systems, you should prioritize applying security updates provided by Cisco. If immediate patching is not possible, consider isolating the affected systems from untrusted networks. It is also advisable to monitor for any unusual activity, such as unexpected configuration changes or suspicious NETCONF access.

References

Cyber Threat Intelligence (CTI)

Sources: threatActor

blog.talosintelligence.com/uat-8616-sd-wan/

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.