Threats / Cisco / CVE-2026-20127
CVE-2026-20127
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Cisco Catalyst SD-WAN Controller and Manager vulnerability
Authentication bypass in Cisco Catalyst SD-WAN Controller and Manager allows unauthenticated remote attackers to gain administrative privileges and manipulate SD-WAN fabric network configuration.
Verdict
Today item — known-exploited.
An unauthenticated remote attacker can bypass peering authentication via crafted requests, obtain high-privileged account access, and leverage NETCONF to alter SD-WAN fabric configuration, compromising network integrity and availability.
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
16 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-02-25).
Probability (EPSS)
EPSS 0.48158 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Cisco, Catalyst SD-WAN Controller and Manager. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-287 Improper Authentication — weakness family: Authentication.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I send crafted requests to the SD-WAN Controller or Manager to exploit the broken peering authentication mechanism.
Business
Network perimeter security is compromised as the authentication layer fails to validate legitimate access requests.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I bypass authentication checks and obtain login credentials for an internal, high-privileged non-root user account.
Business
Administrative access is granted to an unauthorized external party without credential compromise or social engineering.
3
Lateral reach — past segmentation narrative 3
Attacker
I access the NETCONF interface using the compromised high-privileged account to issue configuration commands.
Business
Attackers gain direct control over SD-WAN fabric network configuration and routing policies.
4
Data at risk — exfiltration narrative 4
Attacker
I manipulate network configuration to redirect traffic, isolate segments, or degrade SD-WAN performance.
Business
Network availability and data integrity are compromised; business operations dependent on SD-WAN connectivity are disrupted.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05