Find notable cyber news and cases, enriched with sources, timelines, and signals.

Cisco Catalyst SD-WAN Controller/Manager authentication-bypass flaw (CVE-2026-20127)

Vulnerability
First reported
Last updated
Happening score
H score 55
2 unique sources, 2 articles

Summary

Hide ▲

The CVE-2026-20127 flaw in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager is being actively exploited to let unauthenticated attackers bypass authentication and gain administrative privileges. The issue affects exposed SD-WAN management systems across on-prem and hosted cloud deployments, including FedRAMP environments. Malicious activity tied to the flaw dates back to 2023, making internet-facing instances an urgent compromise risk.

Related Happenings

Cisco Catalyst SD-WAN unauthorized peering and SSH access campaign

Campaign
H score38 First: 25.06.2026 17:15 Last: 25.06.2026 17:15 Sources 1

About this happening: An active **campaign** used **unauthorized peering connections** and **SSH access** to maintain footholds inside a **service provider's Cisco Catalyst SD-WAN** environment, increa...

Cisco Catalyst SD-WAN Manager actively exploited file upload overwrite flaw (CVE-2026-20262)

Vulnerability
H score24 First: 15.06.2026 20:12 Last: 15.06.2026 20:12 Sources 1

About this happening: **Cisco Catalyst SD-WAN Manager** was patched for **CVE-2026-20262** after attackers used it to **create or overwrite files** and **escalate to root** across **all deployment type...

Cisco Catalyst SD-WAN Manager root privilege escalation flaw (CVE-2026-20245)

Vulnerability
H score60 First: 05.06.2026 09:24 Last: 05.06.2026 09:24 Sources 1

About this happening: **CVE-2026-20245** in **Cisco Catalyst SD-WAN Manager** is an **actively exploited** **high-severity** vulnerability that can let an **authenticated local attacker** with **netadm...

Latest development: 06.06.2026 07:19

Cisco warned that CVE-2026-20245 in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, is under active exploitation and can let an authenticated local attacker with netadmin privileges upload a crafted file to execute arbitrary commands as root. Cisco said the flaw affects On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP), that limited exploitation has already resulted in configuration changes pushed to edge devices, and that no patches or mitigations are currently available. Cisco also advised checking /var/log/scripts.log for indicators of compromise and credited Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan with discovering and reporting the issue.

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
H score46 First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

CISA KEV remediation order for Cisco Catalyst SD-WAN Controller CVE-2026-20182

Public Sector Action
H score59 First: 15.05.2026 08:28 Last: 15.05.2026 08:28 Sources 1

About this happening: **CISA** added **CVE-2026-20182** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate **Cisco Catalyst SD-WAN Controller** by **May 17,...

Timeline

  1. 26.02.2026 08:13 1 articles · 4mo ago

    Cisco discloses CVE-2026-20127 in Cisco SD-WAN products

    Initial Disclosure

    Cisco disclosed CVE-2026-20127 in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager, describing a CVSS 10.0 flaw in which the peering authentication mechanism does not work properly and an unauthenticated remote attacker can send a crafted request to bypass authentication and obtain administrative privileges; Cisco and ASD-ACSC said UAT-8616 has actively exploited the issue since 2023, and Cisco said the flaw is addressed in fixed Cisco Catalyst SD-WAN releases.

    Show sources
  2. 26.02.2026 08:13 2 articles · 4mo ago

    CISA adds the Cisco SD-WAN flaws to KEV and issues Emergency Directive 26-03

    Legal Policy Action Update

    CISA added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) catalog and issued Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems, ordering Federal Civilian Executive Branch agencies to inventory SD-WAN devices, apply updates, and assess potential compromise by the stated February 26, March 5, and March 26, 2026 deadlines.

    Show sources