CVE-2026-20127

What is Cisco Catalyst SD-WAN?

Cisco Catalyst SD-WAN (formerly Cisco Viptela) is an enterprise Software-Defined WAN platform that centralises routing policy, configuration, and orchestration across an organisation's entire WAN fabric. Its architecture separates function across four planes: vManage (management console), vSmart/SD-WAN Controller (control plane, routing policy distribution), vBond (orchestration, device onboarding), and edge devices at each branch and data centre.

Central to the platform's operation is a peering authentication mechanism — the mutual authentication handshake by which SD-WAN controllers, managers, and edge devices establish trusted relationships with each other. The security of the entire SD-WAN fabric depends on this mechanism correctly identifying legitimate fabric components. CVE-2026-20127 demonstrates that the peering authentication in affected versions does not work correctly.

Overview

CVE-2026-20127 is a CVSS 10.0 authentication bypass in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage). By sending crafted requests to an exposed controller or manager, an unauthenticated remote attacker bypasses the authentication handshake and is admitted to the SD-WAN fabric as a trusted internal peer. The attacker's access is granted as the internal vmanage-admin account — a high-privileged, non-root user — which provides access to NETCONF: the network configuration management protocol through which routing policies, VPN configurations, and fabric-wide settings can be read and modified.

Affected Versions

There are no workarounds — patching is the only mitigation.

Technical Details

The vulnerability is rooted in the SD-WAN peering authentication mechanism — the protocol by which SD-WAN fabric components (controllers, managers, edge devices) establish trusted peer relationships with each other. In a correctly functioning deployment, a new component cannot join the fabric without presenting valid authentication credentials. In the affected versions, this mechanism is not working properly: crafted requests that deviate from the expected authentication flow are still accepted and result in the attacker being authenticated as a legitimate fabric peer.

The attacker's authenticated session is established as the internal vmanage-admin user — a high-privileged account used for internal fabric operations. This account is distinct from the root user but has sufficient privilege to access NETCONF (RFC 6241) on the controller or manager. Through NETCONF, the attacker can:

• Read the full SD-WAN fabric configuration: routing policies, VPN parameters, device inventory, authentication settings for all edge devices
• Write configuration changes that propagate to every edge device in the fabric — modifying routing tables, removing security segments, altering encryption parameters, or inserting rogue routing entries

The attack requires network access to port 22 (SSH) or port 830 (NETCONF) on a controller or manager instance. These ports do not need to be internet-facing; access from within a network that has any connectivity to the SD-WAN management plane is sufficient.

Discovery and Attribution

CVE-2026-20127 was discovered and reported to Cisco by the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC), credited in the Cisco security advisory. The ASD-ACSC also co-led the production of the threat hunt guide published alongside the advisory, jointly authored with CISA, NSA, the Canadian Centre for Cyber Security, NCSC-NZ, and NCSC-UK.

Cisco Talos published a concurrent analysis attributing exploitation to UAT-8616 — a threat actor cluster assessed with high confidence as "a highly sophisticated cyber threat actor" that had been exploiting CVE-2026-20127 since at least 2023. No formal nation-state attribution has been made public, but Tenable and other analysts noted that nation-state groups including Salt Typhoon and Volt Typhoon (both attributed to the Chinese People's Liberation Army) have established prior patterns of targeting Cisco network infrastructure. Three years of persistent, low-footprint access to WAN management planes is consistent with state-sponsored intelligence collection operations.

Exploitation Context

The exploitation timeline documented by Cisco Talos reveals the scope of the campaign: approximately two to three years of persistent access to enterprise SD-WAN management infrastructure before the vulnerability was disclosed. During that window, UAT-8616 conducted:

1. Rogue peer insertion — joining the SD-WAN fabric as a trusted controller, giving persistent access that survives device reboots and routine maintenance
2. Root escalation via firmware downgrade chain — deliberately downgrading the controller software using Cisco's own built-in update mechanism to a version vulnerable to CVE-2022-20775 (a CLI path traversal disclosed in 2022), exploiting it to escalate to root, then restoring the original firmware version to erase evidence of the downgrade
3. Persistence establishment — adding SSH authorised keys, creating local accounts, modifying startup scripts
4. Forensic destruction — purging authentication logs (auth.log) and command history files before and after sensitive operations
5. Traffic monitoring and lateral movement — with root access to controller nodes, the actor was positioned to intercept traffic metadata and move laterally to branch office infrastructure

The simultaneous addition of CVE-2022-20775 to the CISA KEV catalog on February 25, 2026 — four years after its original disclosure — confirmed that UAT-8616's firmware downgrade technique had been used in active attacks.

Remediation

1. Upgrade Cisco Catalyst SD-WAN Manager and Controller to the fixed release for your train: 20.9.8.2, 20.12.5.3 (or 20.12.6.1), 20.15.4.2, or 20.18.2.1. Note that these same fixed versions also remediate CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133.

2. Conduct a compromise assessment before declaring clear. Follow the ACSC-led threat hunt guide and CISA's Hunt & Hardening Guidance. Specific indicators to investigate:

   • Inspect the SD-WAN controller peer list for any rogue or unrecognised peers
   • Review auth.log for SSH public key acceptance events from unexpected sources (gaps in auth.log are themselves indicators — UAT-8616 purged logs)
   • Check software version change history for unexplained version downgrades, even if the current version looks correct
   • Look for Splunk/SIEM alerts on version transition events: "Software upgrade not confirmed", "revert to previous software version", or "Waiting for upgrade confirmation from user" in SD-WAN logs

3. Restrict management plane access — ensure port 22 (SSH) and port 830 (NETCONF) on SD-WAN controllers and managers are accessible only from trusted administrator jump hosts or management VPN segments. These ports should never be internet-facing.

4. Rotate all SD-WAN administrative credentials and review for unauthorised SSH keys and local accounts created by the attacker.

5. If root compromise is confirmed: CISA ED 26-03 directs agencies to rebuild vManage, vSmart, and vBond instances from clean patched images and migrate edge devices to the new infrastructure. A compromised SD-WAN controller cannot be trusted even after patching.