Arctic Wolf

Arctic Wolf Customer,

We are issuing this bulletin to alert organizations about a maximum severity, actively exploited authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controller and Manager. This flaw lets remote, unauthenticated threat actors gain administrative control over SD-WAN fabric configuration in certain configurations. If you use Cisco Catalyst products in your environment, please review this bulletin to mitigate this threat, which has been exploited in the wild.

Summary

On February 25, 2026, Cisco released fixes for a maximum severity authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage), tracked as CVE-2026-20127. The flaw arises from a broken peering authentication mechanism in the control-plane authentication workflow. This vulnerability potentially allows a remote, unauthenticated threat actor to bypass authentication and obtain administrative privileges on an affected system. Successful exploitation can grant access to NETCONF, enabling manipulation of SD-WAN fabric configuration.

At the time of writing, Arctic Wolf has not identified a publicly available proof-of-concept exploit, but Cisco PSIRT and CISA (U.S.) have confirmed exploitation in the wild from sophisticated threat actors. Threat actors may continue to target this vulnerability due to the high operational impact of management-plane compromise, the attractiveness of SD-WAN controllers/managers (especially when the management interface is exposed on the public internet), and historical interest by both state-aligned and criminal actors in Cisco network infrastructure.

Arctic Wolf will follow its standard internal processes to assess the impact of this newly reported vulnerability within its own environment and if impacted, will address it within the established remediation timelines in our Security Patching Policy.

Technical Details

Cisco indicates this flaw relates to the peering authentication mechanism. A threat actor can potentially send crafted requests to affected systems to log in as an internal, high-privileged, non-root account and then abuse NETCONF (typically TCP/830) to enumerate, modify, and push templates/policies across the SD-WAN fabric.

Cisco provides guidance for investigating potential compromise, which includes:

  • Audit authentication logs for entries such as “Accepted publickey for vmanage-admin” from unfamiliar IPs
  • Collecting admin-tech bundles for TAC review
  • Validating all recent control-plane peering events (with emphasis on vManage peering types, timestamps, source IPs, and device-type consistency).

For more technical details on this threat, see the following write-up by Cisco Talos: Active exploitation of Cisco Catalyst SD-WAN by UAT-8616

Recommendation

Upgrade to Latest Fixed Version

Arctic Wolf strongly recommends that customers upgrade to the latest fixed version of affected Cisco products. See the Cisco advisory on this vulnerability for more details.

Product
Affected Version
Fixed Version
Cisco Catalyst SD-WAN
Earlier than 20.9
Migrate to a fixed release.
20.9
20.9.8.2 (Estimated release February 27, 2026)
20.11
20.12.5
20.12.6
20.13
20.14
20.15
20.16
20.18

Note: Cisco states that versions 20.11, 20.13, 20.16, and versions earlier than 20.9 have reached End of Software Maintenance. Cisco strongly encourages customers to upgrade to a supported release.

Apply Security Hardening to Affected Services

Cisco provides a list of general security hardening recommendations in their advisory that can help reduce the risk of exploitation. These recommendations include restricting affected services from untrusted remote hosts on the internet where possible. See “General Recommendations for Hardening” section in the advisory.

References

If you have any additional questions, please reach out to your CST at security@arcticwolf.com.

Thank you,
Arctic Wolf


Follow us:

.