On 25 February 2026, Cisco released fixes for a maximum severity authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage), tracked as CVE-2026-20127. The flaw arises from a broken peering authentication mechanism in the control-plane authentication workflow. This vulnerability potentially allows a remote, unauthenticated threat actor to bypass authentication and obtain administrative privileges on an affected system. Successful exploitation can grant access to NETCONF, enabling manipulation of SD-WAN fabric configuration.
At the time of writing, Arctic Wolf has not identified a publicly available proof-of-concept exploit, but Cisco PSIRT and CISA (U.S.) have confirmed exploitation in the wild from sophisticated threat actors. Threat actors may continue to target this vulnerability due to the high operational impact of management-plane compromise, the attractiveness of SD-WAN controllers/managers (especially when the management interface is exposed on the public internet), and historical interest by both state-aligned and criminal actors in Cisco network infrastructure.
Technical Details
Cisco indicates this flaw relates to the peering authentication mechanism. A threat actor can potentially send crafted requests to affected systems to log in as an internal, high-privileged, non-root account and then abuse NETCONF (typically TCP/830) to enumerate, modify, and push templates/policies across the SD-WAN fabric.
Cisco provides guidance for investigating potential compromise, which includes:
- Auditing /var/log/auth.log for entries such as “Accepted publickey for vmanage-admin” from unfamiliar IPs
- Collecting admin-tech bundles for TAC review
- Validating all recent control-plane peering events (with emphasis on vManage peering types, timestamps, source IPs, and device-type consistency).
For more technical details on this threat, see the following write-up by Cisco Talos.
Recommendation for CVE-2026-20127
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version of Cisco Catalyst SD-WAN. See the Cisco advisory on this vulnerability for more details.
| Affected Version | Fixed Version |
| Earlier than 20.9 | Migrate to a fixed release. |
| 20.9 | 20.9.8.2 (Estimated release February 27, 2026) |
| 20.11 | 20.12.6.1 |
| 20.12.5 20.12.6 |
20.12.5.3 20.12.6.1 |
| 20.13 | 20.15.4.2 |
| 20.14 | 20.15.4.2 |
| 20.15 | 20.15.4.2 |
| 20.16 | 20.18.2.1 |
| 20.18 | 20.18.2.1 |
Note: Ciscos states that versions 20.11, 20.13, 20.16, and versions earlier than 20.9 have reached End of Software Maintenance. Cisco strongly encourages customers to upgrade to a supported release.
Apply Security Hardening to Affected Services
Cisco provides a list of general security hardening recommendations in their advisory that can help reduce the risk of exploitation. These recommendations include restricting affected services from untrusted remote hosts on the internet where possible. See “General Recommendations for Hardening” section in the advisory.
