CVE-2026-20127
Received Received - Intake
Authentication Bypass in Cisco SD-WAN Controller Enables Admin Access

Publication date: 2026-02-25

Last updated on: 2026-02-26

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. 
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-26
Generated
2026-05-06
AI Q&A
2026-02-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-20127
EUVD
EUVD-2026-8675
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
cisco catalyst_sd-wan_manager to 20.9.8.2 (exc)
cisco catalyst_sd-wan_manager From 20.11 (inc) to 20.12.5.3 (exc)
cisco catalyst_sd-wan_manager From 20.13 (inc) to 20.15.4.2 (exc)
cisco catalyst_sd-wan_manager From 20.16 (inc) to 20.18.2.1 (exc)
cisco catalyst_sd-wan_manager 20.12.6
cisco sd-wan_vsmart_controller to 20.9.8.2 (exc)
cisco sd-wan_vsmart_controller From 20.11 (inc) to 20.12.5.3 (exc)
cisco sd-wan_vsmart_controller From 20.13 (inc) to 20.15.4.2 (exc)
cisco sd-wan_vsmart_controller From 20.16 (inc) to 20.18.2.1 (exc)
cisco sd-wan_vsmart_controller 20.12.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an authentication bypass flaw in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller and Manager. It allows an unauthenticated remote attacker to send specially crafted requests to the system and bypass normal authentication.

By exploiting this flaw, the attacker can log in as a high-privileged internal non-root user, gaining administrative privileges on the affected system.

With this access, the attacker can manipulate the network configuration of the SD-WAN fabric via NETCONF, potentially controlling critical network functions.


How can this vulnerability impact me? :

The impact of this vulnerability is severe because it grants an unauthenticated attacker administrative access to the affected Cisco SD-WAN systems.

An attacker with these privileges can manipulate network configurations, potentially disrupting network operations, causing data loss, or enabling further attacks within the network.

Because the attacker can access NETCONF, they can change the SD-WAN fabric settings, which could lead to unauthorized network control and compromise of network integrity, confidentiality, and availability.

The vulnerability has a maximum CVSS score of 10.0, indicating critical severity with high impact on confidentiality, integrity, and availability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by auditing the /var/log/auth.log file for unauthorized entries showing accepted public key authentications for the "vmanage-admin" user from unknown IP addresses.'}, {'type': 'paragraph', 'content': 'Manual validation of peering events in logs is recommended, focusing on timestamps, IP addresses, peer system IPs, peer types (vmanage, vsmart, vedge, vbond), and correlating these with authentication and change management records to detect unauthorized peer connections.'}, {'type': 'paragraph', 'content': 'Customers should verify IP addresses against known system IPs configured in the Cisco Catalyst SD-WAN Manager web UI.'}, {'type': 'paragraph', 'content': 'While specific commands are not explicitly provided, examining the /var/log/auth.log file using commands like \'grep "vmanage-admin" /var/log/auth.log\' or similar log inspection commands on the affected system can help identify suspicious authentication attempts.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

There are no available workarounds that fully mitigate this vulnerability; the only complete remediation is to upgrade to fixed software releases such as 20.9.8.2, 20.12.6.1, 20.15.4.2, or 20.18.2.1.

In the meantime, customers are advised to restrict access to ports 22 and 830 using ACLs, firewall rules, or security group rules to allow only known controller and trusted IP addresses, especially for on-premises deployments.

  • Prevent access from unsecured networks.
  • Restrict system access to trusted hosts.
  • Deploy firewalls with layered filtering.
  • Disable unnecessary services such as HTTP and FTP.
  • Change default administrator passwords.
  • Create role-based user accounts.
  • Use SSL/TLS certificates for secure communications.

Regular monitoring and external logging of web traffic are also advised for post-event investigations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart