External risk intelligence
Cisco Catalyst SD-WAN could allow external attackers to manipulate network configurations.
Cisco Catalyst SD-WAN Controller and Manager could allow external attackers to bypass security protocols and gain administrative privileges, potentially exposing network controls to unauthorized manipulation. Active exploitation of this flaw has been observed, posing a significant risk to network infrastructure.
CVE-2026-20127
Exposure facts
H – Horizon Alert
A security vulnerability has been identified in the Cisco Catalyst SD-WAN Controller and Manager that allows a remote, unauthenticated attacker to bypass established security protocols. By sending specially crafted requests, an attacker could gain high-level administrative privileges on the system. This level of access could potentially allow an unauthorized party to manipulate the configuration of your SD-WAN network fabric, posing a significant risk to the integrity and control of your network infrastructure.
A – Asset Exposure
This issue impacts Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, which serve as critical management points for your SD-WAN infrastructure. If exploited, an unauthorized remote actor could bypass security checks to gain high-privileged admin access to these systems. With this level of control, an intruder could interact with NETCONF to modify sensitive network controls and alter the configuration of the SD-WAN fabric.
L – Live Threat
This vulnerability is formally listed in the CISA Known Exploited Vulnerabilities catalog, which confirms that active exploitation has been observed in the wild. Attackers can leverage this flaw to bypass authentication remotely and gain high-privileged access, potentially allowing for the manipulation of network configurations. Due to this confirmed evidence of targeting and the significant level of access afforded to an attacker, this issue presents a critical risk that warrants prompt attention.
O – Operational Fix
Organizations using Cisco Catalyst SD-WAN Controller and Manager should immediately review CISA’s Emergency Directive and the associated Hunt & Hardening Guidance to secure these systems. Prioritize the validation of all affected deployments to assess potential exposure and implement necessary risk mitigation steps as outlined by the vendor and CISA. If appropriate mitigations are unavailable for your environment, please consult internal policy regarding the discontinuation of use in accordance with established guidelines for cloud services.