6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE‑2026‑20127: A critical zero‑day vulnerability in Cisco Catalyst SD‑WAN Controller and Manager is being actively exploited in the wild. The flaw allows attackers to completely bypass authentication by sending crafted control‑plane requests, enabling full, unauthorized access to the SD‑WAN management plane. Cisco has released fixed software versions across all supported release trains, and affected organizations must upgrade immediately using the official advisory. Due to active exploitation and the central role of SD‑WAN in enterprise networks, this vulnerability should be treated as an emergency, with strict access controls applied until remediation is complete.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Authentication Bypass in Cisco Catalyst
SD-WAN Controller and Manager
CVSS Score: 10.0 (Critical, CVSS v3.1)
Identifier: CVE-2026-20127
PoC or Exploitation:
CVE-2026-20127 is a critical zero-day vulnerability that has been actively exploited in the wild.
Update/ Patch:
Cisco has released fixed software versions for all supported Catalyst SD-WAN release trains. Affected organizations should upgrade immediately according to their deployment version.
Cisco official security advisory and fixed-version guidance: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
General upgrade guidance includes:
Releases earlier than 20.9 must migrate to a supported fixed release
20.9 → upgrade to 20.9.8.2 or later
20.11 → upgrade to 20.12.6.1 or later
20.12.5 → upgrade to 20.12.5.3 or later
20.12.6 → upgrade to 20.12.6.1 or later
20.13, 20.14, 20.15 → upgrade to 20.15.4.2 or later
20.16, 20.18 → upgrade to 20.18.2.1 or later
Description:
CVE-2026-20127 is an unauthenticated authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager. Due to improper authentication handling in the control-plane peering mechanism, an attacker can send crafted requests to bypass login controls entirely.
Mitigation Recommendation:
Immediately upgrade all Cisco Catalyst SD-WAN Controller and Manager instances to Cisco's fixed versions listed in the official advisory.
Treat this vulnerability as an emergency due to confirmed active exploitation and its impact on the SD-WAN control plane.
Restrict management and control-plane access to trusted administrative networks only using firewalls, ACLs, and network segmentation.
