Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023
Bleeping Computer
by Lawrence AbramsFebruary 25, 2026
AI-Generated Deep Dive Summary
Cisco has disclosed a critical authentication bypass vulnerability in its Catalyst SD-WAN platform, tracked as CVE-2026-20127, which has been exploited in zero-day attacks since 2023. The flaw allows remote attackers to compromise controllers and insert malicious peers into targeted networks, potentially leading to unauthorized access and network manipulation. This vulnerability impacts both on-premises and cloud-based installations of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Manager (formerly vManage). With a severity rating of 10.0, it is considered highly critical.
The issue stems from a faulty peering authentication mechanism that can be exploited by sending crafted requests to affected systems. A successful attack enables attackers to log in as an internal, high-privileged user account, which grants access to NETCONF—a protocol used for network configuration management. This allows malicious actors to manipulate SD-WAN configurations and inject rogue devices into the network, potentially bypassing encryption and accessing sensitive data.
Cisco attributes the discovery of this vulnerability to the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate. The company also revealed that a highly sophisticated threat actor exploited CVE-2026-20127 in
Verticals
securitytech
Originally published on Bleeping Computer on 2/25/2026