Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023
Summary
Hide ▲
Show ▼
A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026.
Timeline
-
25.02.2026 20:01 1 articles · 2h ago
Critical Cisco SD-WAN Bug Exploited in Zero-Day Attacks Since 2023
A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. Cisco has released software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026.
Show sources
- Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 — www.bleepingcomputer.com — 25.02.2026 20:01
Information Snippets
-
CVE-2026-20127 affects Cisco Catalyst SD-WAN Controller and Manager in on-prem and cloud installations.
First reported: 25.02.2026 20:011 source, 1 articleShow sources
- Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 — www.bleepingcomputer.com — 25.02.2026 20:01
-
The vulnerability has a maximum severity rating of 10.0.
First reported: 25.02.2026 20:011 source, 1 articleShow sources
- Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 — www.bleepingcomputer.com — 25.02.2026 20:01
-
Attackers exploit the flaw by sending crafted requests to affected systems.
First reported: 25.02.2026 20:011 source, 1 articleShow sources
- Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 — www.bleepingcomputer.com — 25.02.2026 20:01
-
Successful exploitation allows attackers to log in as high-privileged users and manipulate network configurations.
First reported: 25.02.2026 20:011 source, 1 articleShow sources
- Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 — www.bleepingcomputer.com — 25.02.2026 20:01
-
The flaw was reported by the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC).
First reported: 25.02.2026 20:011 source, 1 articleShow sources
- Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 — www.bleepingcomputer.com — 25.02.2026 20:01
-
Cisco Talos tracks the malicious activity under UAT-8616, attributed to a highly sophisticated threat actor.
First reported: 25.02.2026 20:011 source, 1 articleShow sources
- Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 — www.bleepingcomputer.com — 25.02.2026 20:01
-
Attackers likely escalated to root access by exploiting CVE-2022-20775 and restoring the original firmware version.
First reported: 25.02.2026 20:011 source, 1 articleShow sources
- Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 — www.bleepingcomputer.com — 25.02.2026 20:01
-
CISA issued Emergency Directive 26-03 requiring federal agencies to patch affected systems by February 27, 2026.
First reported: 25.02.2026 20:011 source, 1 articleShow sources
- Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 — www.bleepingcomputer.com — 25.02.2026 20:01
-
Cisco has released software updates to address the vulnerability, with no workarounds that fully mitigate the issue.
First reported: 25.02.2026 20:011 source, 1 articleShow sources
- Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 — www.bleepingcomputer.com — 25.02.2026 20:01