Latest Cisco Catalyst SD-WAN vulnerability: CVE-2026-20127 #
Cisco disclosed certain versions of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) contain a vulnerability in the peering authentication mechanism. A remote, unauthenticated adversary could exploit this by sending crafted requests to an affected system to bypass authentication and obtain administrative privileges. By leveraging an internal, high-privileged, non-root user account, the adversary could access NETCONF, enabling them to manipulate the network configuration for the entire SD-WAN fabric. The vulnerability has been designated CVE-2026-20127 and has been rated critical with a CVSS score of 10.0.
There is evidence that this vulnerability is being actively exploited in the wild.
The following deployment environments are affected
- On-Premise deployments
- Cisco Hosted SD-WAN Cloud (Standard, Cisco Managed, and FedRAMP)
The following versions are affected
- Catalyst SD-WAN releases prior to 20.9
- Catalyst SD-WAN release 20.9 versions prior to 20.9.8.2
- Catalyst SD-WAN release 20.11 versions prior to 20.12.6.1
- Catalyst SD-WAN release 20.12.5 versions prior to 20.12.5.3
- Catalyst SD-WAN release 20.12.6 versions prior to 20.12.6.1
- Catalyst SD-WAN release 20.13 versions prior to 20.15.4.2
- Catalyst SD-WAN release 20.14 versions prior to 20.15.4.2
- Catalyst SD-WAN release 20.15 versions prior to 20.15.4.2
- Catalyst SD-WAN release 20.16 versions prior to 20.18.2.1
- Catalyst SD-WAN release 20.18 versions prior to 20.18.2.1
What is Cisco Catalyst SD-WAN Controller and Manager? #
The Cisco Catalyst SD-WAN Controller serves as the centralized control-plane element, utilizing the Overlay Management Protocol (OMP) to manage routing intelligence, distribute security keys, and enforce network-wide policies. In contrast, the Cisco Catalyst SD-WAN Manager acts as the centralized management system, providing the graphical interface necessary for the configuration, monitoring, and orchestration of all devices within the fabric.
What is the impact? #
Successful exploitation of the vulnerability would allow an adversary to obtain administrative privileges manipulate the network configuration for the entire SD-WAN fabric.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- Catalyst SD-WAN releases prior to 20.9 migrate to a fixed release
- Catalyst SD-WAN release 20.9 upgrade to version 20.9.8.2 and later
- Catalyst SD-WAN release 20.11 upgrade to version 20.12.6.1 and later
- Catalyst SD-WAN release 20.12.5 upgrade to version 20.12.5.3 and later
- Catalyst SD-WAN release 20.12.6 upgrade to version 20.12.6.1 and later
- Catalyst SD-WAN release 20.13 upgrade to version 20.15.4.2 and later
- Catalyst SD-WAN release 20.14 upgrade to version 20.15.4.2 and later
- Catalyst SD-WAN release 20.14 upgrade to version 20.15.4.2 and later
- Catalyst SD-WAN release 20.16 upgrade to version 20.18.2.1 and later
- Catalyst SD-WAN release 20.18 upgrade to version 20.18.2.1 and later
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate potentially impacted assets:
hw:="Cisco vManage" OR os:="Cisco Viptela OS"Note: The query locates Cisco Catalyst SD-WAN Manager installations.
