Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cisco Catalyst SD-WAN Controller/Manager authentication-bypass flaw (CVE-2026-20127)

Vulnerability
First reported
Last updated
Happening score
H score 60
2 unique sources, 2 articles

Summary

Hide ▲

The CVE-2026-20127 flaw in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager is being actively exploited to let unauthenticated attackers bypass authentication and gain administrative privileges. The issue affects exposed SD-WAN management systems across on-prem and hosted cloud deployments, including FedRAMP environments. Malicious activity tied to the flaw dates back to 2023, making internet-facing instances an urgent compromise risk.

Related Happenings

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

Open Happening

CISA KEV remediation order for Cisco Catalyst SD-WAN Controller CVE-2026-20182

Public Sector Action
First: 15.05.2026 08:28 Last: 15.05.2026 08:28 Sources 1

About this happening: **CISA** added **CVE-2026-20182** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate **Cisco Catalyst SD-WAN Controller** by **May 17,...

Open Happening

Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)

Vulnerability
First: 14.05.2026 23:09 Last: 14.05.2026 23:09 Sources 1

About this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...

Latest development: 14.05.2026 23:25

Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.

Open Happening

PAN-OS User-ID Authentication Portal mitigation guidance (CVE-2026-0300)

Advisory/Mitigation
First: 06.05.2026 09:14 Last: 06.05.2026 09:14 Sources 1

About this happening: Palo Alto Networks issued **mitigation guidance** for **CVE-2026-0300** after the **PAN-OS User-ID Authentication Portal** flaw was reported **exploited in the wild**, leaving pub...

Open Happening

Cisco Catalyst SD-WAN Manager information disclosure vulnerability (CVE-2026-20133)

Vulnerability
First: 21.04.2026 15:30 Last: 21.04.2026 15:30 Sources 1

About this happening: CISA moved **CVE-2026-20133** in **Cisco Catalyst SD-WAN Manager** into its **KEV Catalog**, signaling **active exploitation** against **unpatched devices** and forcing **FCEB age...

Open Happening

Timeline

  1. 26.02.2026 08:13 1 articles · 3mo ago

    Cisco discloses CVE-2026-20127 in Cisco SD-WAN products

    Initial Disclosure

    Cisco disclosed CVE-2026-20127 in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager, describing a CVSS 10.0 flaw in which the peering authentication mechanism does not work properly and an unauthenticated remote attacker can send a crafted request to bypass authentication and obtain administrative privileges; Cisco and ASD-ACSC said UAT-8616 has actively exploited the issue since 2023, and Cisco said the flaw is addressed in fixed Cisco Catalyst SD-WAN releases.

    Show sources
    Open in new tab
  2. 26.02.2026 08:13 2 articles · 3mo ago

    CISA adds the Cisco SD-WAN flaws to KEV and issues Emergency Directive 26-03

    Legal Policy Action Update

    CISA added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) catalog and issued Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems, ordering Federal Civilian Executive Branch agencies to inventory SD-WAN devices, apply updates, and assess potential compromise by the stated February 26, March 5, and March 26, 2026 deadlines.

    Show sources
    Open in new tab