CVE-2026-20127 exploited since 2023, Cisco SD-WAN networks at risk

Cisco Talos and international cyber agencies warn that a maximum-severity authentication-bypass zero-day, tracked as CVE-2026-20127, has been actively exploited in the wild since at least 2023, allowing attackers to gain administrative access to core SD-WAN control systems and manipulate enterprise networks. Cisco released advisory cisco-sa-sdwan-rpa-EHchtZk on February 25, 2026 and intelligence partners are treating the campaign with urgency because control-plane compromise can reshape the behavior of entire SD-WAN fabrics.

Talos is tracking the activity under the cluster name UAT-8616 and assesses with high confidence that a highly sophisticated threat actor has used the vulnerability since 2023. The flaw affects Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). Security reporting lists the vulnerability with a CVSS score of 10.0 and describes a root cause tied to a peering authentication mechanism that is not working properly.

A successful exploit allows an unauthenticated remote attacker to log in as an internal, high-privileged non-root account and then access NETCONF to manipulate fabric configuration. Intelligence partners and Talos observed a recurring post-exploit sequence: attackers add a rogue peer to the management and control plane, downgrade software deliberately to reintroduce an older path-traversal flaw, escalate to root, then restore the original software version to hinder detection. The older flaw exploited in the escalation is CVE-2022-20775, a 2022 path traversal issue.

The Australian Signals Directorate Australian Cyber Security Centre put the danger plainly: “The vulnerability allowed a malicious cyber actor to create a rogue peer joined to the network management plane, or control plane, of an organization's SD‑WAN. The rogue device appears as a new but temporary, actor‑controlled SD‑WAN component that can conduct trusted actions within the management and control plane.” Cisco also warned that “Cisco Catalyst SD‑WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise.”

Researchers and vendors are urging immediate patching and active hunting. Tenable and other responders note that temporary mitigation guidance is available in Cisco’s advisory but no full workaround exists; immediate patching of affected systems is the recommended priority. Investigative steps publicized by responders include auditing auth logs for entries such as "Accepted publickey for vmanage-admin" and cross-checking any unfamiliar auth IPs against configured System IPs in the Manager WebUI. Teams are also advised to hunt for unexpected or temporary peers in the control plane and for signs of version downgrade and subsequent restoration.

The scale of the risk is underscored by internet scanning data: GreyNoise reported 2.97 billion malicious sessions from 3.8 million unique source IPs targeting internet-facing infrastructure in H2 2025, illustrating how quickly exploitation traffic can scale once attackers focus on an exposed surface. Polygraf AI CEO Yagub Rahimov framed the technical sophistication: “After gaining initial access through the authentication bypass, the attacker deliberately downgraded the software to re‑expose CVE‑2022‑20775 – a 2022 path traversal flaw that, in isolation, required authenticated access and carried moderate risk.” He added, “Chaining it with an authentication bypass makes it into something different: a path to persistent root access across the entire SD‑WAN fabric. That transformation is the sophisticated part.”

Because the vulnerability targets control-plane components, defenders should treat exposed controllers as high priority, consult Cisco’s advisory for addressed versions and mitigations, and follow the ASD-ACSC and Talos hunting guidance shared with CISA and NSA partners.