Cisco Catalyst SD-WAN Controller/Manager authentication-bypass flaw (CVE-2026-20127)
Vulnerability
Summary
Hide ▲
Show ▼
The CVE-2026-20127 flaw in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager is being actively exploited to let unauthenticated attackers bypass authentication and gain administrative privileges. The issue affects exposed SD-WAN management systems across on-prem and hosted cloud deployments, including FedRAMP environments. Malicious activity tied to the flaw dates back to 2023, making internet-facing instances an urgent compromise risk.
Related Happenings
Cisco Catalyst SD-WAN unauthorized peering and SSH access campaign
Campaign
H score38
First: 25.06.2026 17:15
Last: 25.06.2026 17:15
Sources 1
About this happening:
An active **campaign** used **unauthorized peering connections** and **SSH access** to maintain footholds inside a **service provider's Cisco Catalyst SD-WAN** environment, increa...
Cisco Catalyst SD-WAN unauthorized peering and SSH access campaign
CampaignAbout this happening: An active **campaign** used **unauthorized peering connections** and **SSH access** to maintain footholds inside a **service provider's Cisco Catalyst SD-WAN** environment, increa...
Cisco Catalyst SD-WAN Manager actively exploited file upload overwrite flaw (CVE-2026-20262)
Vulnerability
H score24
First: 15.06.2026 20:12
Last: 15.06.2026 20:12
Sources 1
About this happening:
**Cisco Catalyst SD-WAN Manager** was patched for **CVE-2026-20262** after attackers used it to **create or overwrite files** and **escalate to root** across **all deployment type...
Cisco Catalyst SD-WAN Manager actively exploited file upload overwrite flaw (CVE-2026-20262)
VulnerabilityAbout this happening: **Cisco Catalyst SD-WAN Manager** was patched for **CVE-2026-20262** after attackers used it to **create or overwrite files** and **escalate to root** across **all deployment type...
Cisco Catalyst SD-WAN Manager root privilege escalation flaw (CVE-2026-20245)
Vulnerability
H score60
First: 05.06.2026 09:24
Last: 05.06.2026 09:24
Sources 1
About this happening:
**CVE-2026-20245** in **Cisco Catalyst SD-WAN Manager** is an **actively exploited** **high-severity** vulnerability that can let an **authenticated local attacker** with **netadm...
Cisco Catalyst SD-WAN Manager root privilege escalation flaw (CVE-2026-20245)
VulnerabilityAbout this happening: **CVE-2026-20245** in **Cisco Catalyst SD-WAN Manager** is an **actively exploited** **high-severity** vulnerability that can let an **authenticated local attacker** with **netadm...
Latest development: 06.06.2026 07:19
Cisco warned that CVE-2026-20245 in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, is under active exploitation and can let an authenticated local attacker with netadmin privileges upload a crafted file to execute arbitrary commands as root. Cisco said the flaw affects On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP), that limited exploitation has already resulted in configuration changes pushed to edge devices, and that no patches or mitigations are currently available. Cisco also advised checking /var/log/scripts.log for indicators of compromise and credited Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan with discovering and reporting the issue.
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
H score46
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
About this happening:
**openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveAbout this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
CISA KEV remediation order for Cisco Catalyst SD-WAN Controller CVE-2026-20182
Public Sector Action
H score59
First: 15.05.2026 08:28
Last: 15.05.2026 08:28
Sources 1
About this happening:
**CISA** added **CVE-2026-20182** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate **Cisco Catalyst SD-WAN Controller** by **May 17,...
CISA KEV remediation order for Cisco Catalyst SD-WAN Controller CVE-2026-20182
Public Sector ActionAbout this happening: **CISA** added **CVE-2026-20182** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate **Cisco Catalyst SD-WAN Controller** by **May 17,...
Timeline
-
26.02.2026 08:13 1 articles · 4mo ago
Cisco discloses CVE-2026-20127 in Cisco SD-WAN products
Initial DisclosureCisco disclosed CVE-2026-20127 in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager, describing a CVSS 10.0 flaw in which the peering authentication mechanism does not work properly and an unauthenticated remote attacker can send a crafted request to bypass authentication and obtain administrative privileges; Cisco and ASD-ACSC said UAT-8616 has actively exploited the issue since 2023, and Cisco said the flaw is addressed in fixed Cisco Catalyst SD-WAN releases.
Show sources
- Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access — thehackernews.com — 26.02.2026 08:13
-
26.02.2026 08:13 2 articles · 4mo ago
CISA adds the Cisco SD-WAN flaws to KEV and issues Emergency Directive 26-03
Legal Policy Action UpdateCISA added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) catalog and issued Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems, ordering Federal Civilian Executive Branch agencies to inventory SD-WAN devices, apply updates, and assess potential compromise by the stated February 26, March 5, and March 26, 2026 deadlines.
Show sources
- Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access — thehackernews.com — 26.02.2026 08:13
- CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws — www.infosecurity-magazine.com — 12.03.2026 14:45