About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
CVSS Score: 10.0 (Critical, CVSS v3.1)
Identifier: CVE-2026-20127
PoC or Exploitation:
CVE-2026-20127 is a critical zero-day vulnerability that has been actively exploited in the wild.
Update/ Patch:
Cisco has released fixed software versions for all supported Catalyst SD-WAN release trains. Affected organizations should upgrade immediately according to their deployment version.
Cisco official security advisory and fixed-version guidance: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
General upgrade guidance includes:
Releases earlier than 20.9 must migrate to a supported fixed release
20.9 → upgrade to 20.9.8.2 or later
20.11 → upgrade to 20.12.6.1 or later
20.12.5 → upgrade to 20.12.5.3 or later
20.12.6 → upgrade to 20.12.6.1 or later
20.13, 20.14, 20.15 → upgrade to 20.15.4.2 or later
20.16, 20.18 → upgrade to 20.18.2.1 or later
Mitigation Recommendation:
Immediately upgrade all Cisco Catalyst SD-WAN Controller and Manager instances to Cisco's fixed versions listed in the official advisory.
Treat this vulnerability as an emergency due to confirmed active exploitation and its impact on the SD-WAN control plane.
Restrict management and control-plane access to trusted administrative networks only using firewalls, ACLs, and network segmentation.