Summary

A critical vulnerability, identified as CVE-2026-20127, has been discovered in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager.

This flaw allows an unauthenticated, remote attacker to bypass authentication and gain administrative privileges on the affected systems. The vulnerability is due to improper functioning of the peering authentication mechanism, which can be exploited by sending crafted requests to the system.

Successful exploitation grants the attacker access to NETCONF, enabling manipulation of network configurations within the SD-WAN fabric. Then in correlation with CVE-2022-20775, and a version downgrade, root can be established.

Affected Systems and/or Applications

The following versions of Cisco Catalyst SD-WAN Manager are affected:

• 17.2.4 to 20.18.2
• 20.1.1 to 20.18.2
• 20.3.1 to 20.18.2
• 20.4.1 to 20.18.2
• 20.5.0.1.1 to 20.18.2
• 20.6.0.18.3 to 20.18.2
• 20.7.1 to 20.18.2
• 20.8.1 to 20.18.2
• 20.9.1 to 20.18.2
• 20.10.1 to 20.18.2
• 20.11.1 to 20.18.2
• 20.12.1 to 20.18.2
• 20.13.1 to 20.18.2
• 20.14.1 to 20.18.2
• 20.15.1 to 20.18.2
• 20.16.1 to 20.18.2

Technical Details

The vulnerability is classified as a base 10 score with the additional vector scoring:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H


This indicates:

• Network attack vector
• Low attack complexity
• No privileges required
• No user interaction needed
• Scope changed
• High impact on confidentiality, integrity, and availability

The flaw arises from a malfunction in the peering authentication mechanism, which fails to properly validate requests. An attacker can exploit this by crafting specific requests that bypass authentication controls.

Once authenticated as a high-privileged, non-root user, the attacker can:

• Access NETCONF
• Modify SD-WAN fabric configurations
• Potentially disrupt network operations

Chaining with CVE-2022-20775 for Root Access

CVE-2022-20775 is a separate privilege escalation vulnerability affecting Cisco SD-WAN components. While CVE-2026-20127 provides unauthenticated administrative access (non-root), CVE-2022-20775 can allow a locally authenticated attacker to escalate privileges to root. It should be noted that this chain has been seen actively exploited.

Attack chain scenario:

1. Exploit CVE-2026-20127 to bypass authentication and gain administrative access.
2. Establish authenticated shell or system-level access. Use permissions to downgrade device versioning
3. Exploit CVE-2022-20775 to elevate privileges from administrator to root.
4. Obtain full control of the underlying operating system.

Successful chaining significantly increases impact by enabling:

• Complete device takeover
• Persistent backdoor installation
• Tampering with logging and forensic artifacts

- Lateral movement across the SD-WAN fabric

Mitigation

Cisco has released software updates to address this vulnerability. Administrators should upgrade to the first fixed release applicable to their current software version as outlined below:

Cisco Catalyst SD-WAN Release First Fixed Release

Earlier than 20.9.1                         Migrate to a fixed release

20.9                                               20.9.8.2 (Estimated release February 27, 2026)

20.11.1                                            20.12.6.1

20.12.5 20.12.6                             20.12.5.3 20.12.6.1

20.13.1                                           20.15.4.2

20.14.1                                           20.15.4.2

20.15                                             20.15.4.2

20.16.1                                           20.18.2.1

20.18                                             20.18.2.1

Important: Organizations running versions earlier than 20.9.1 should migrate to a supported fixed release as soon as possible.

Additional recommended security measures:

• Implement network segmentation
• Enforce strict access controls
• Continuously monitor for suspicious activity
• Review logs for indicators of compromise, including unauthorized NETCONF access

What the Cyber Fusion Center is Doing

The CFC is monitoring the situation and analyzing the case to identify potential threat-hunting campaigns. This advisory will be updated if required. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

References

• Cisco Security Advisory:
  [https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk )
• CISA Known Exploited Vulnerabilities Catalog:
  [https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20127](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20127

‍

‍