Cisco Catalyst SD-WAN Critical Vulnerabilities

Overview

• CVE: CVE-2026-20127, CVE-2026-20129

• Severity: Critical

• Date: 26 February 2026

Summary

Cisco has released urgent security updates addressing critical vulnerabilities in Catalyst SD-WAN Manager and Controller. These flaws allow unauthenticated remote attackers to bypass authentication and gain administrative privileges or execute commands as a netadmin. Immediate patching is required.

Affected Versions

• Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart)

• Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage)

Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by CVE-2026-20129.
Refer to Cisco’s security advisories for exact affected versions and fixed releases.

Vulnerability Breakdown

CVE-2026-20127 - Peering Authentication Bypass

• Severity: Critical

• CVSS: 10.0

• Description: A vulnerability in the peering authentication mechanism allows an unauthenticated, remote attacker to bypass authentication.

• Impact: Successful exploitation allows the attacker to log in as a high-privileged, non-root user and manipulate network configuration via NETCONF.

• Conditions: Remote access to an affected system; no authentication required.

CVE-2026-20129 - API Authentication Bypass

• Severity: Critical

• CVSS: 9.8

• Description: Improper authentication for API requests allows an unauthenticated, remote attacker to gain access.

• Impact: Execution of commands with netadmin privileges.

• Conditions: Remote access to the API of an affected system; no authentication required.

• Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected.

Mitigation

• Upgrade affected Cisco Catalyst SD-WAN Controller and SD-WAN Manager systems to fixed versions as outlined in Cisco’s security advisories.

• Prioritise systems exposed to untrusted networks.

• Restrict management and API access until patching is completed.

Summary for IT Teams

• Products: Cisco Catalyst SD-WAN Controller and SD-WAN Manager

• Threat Level: Critical

• Risk: Unauthenticated remote administrative access and SD-WAN fabric manipulation

• Action Required:

  • Identify affected SD-WAN deployments.

  • Upgrade to vendor-provided fixed releases immediately.

  • Restrict management/API exposure pending remediation.

Reference

• Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability

• Cisco Catalyst SD-WAN Manager Authentication Bypass Vulnerability

Need Help?

If your organisation needs assistance assessing or patching your environment, the Secure ISS SOC team is ready to help. Please get in touch on 1300 769 460 or email us.