Skip to content
.ca
sign in
4 mincritical

Security Advisory 2026-002

Cisco has disclosed multiple critical and high-severity vulnerabilities affecting Catalyst SD-WAN Controller and Manager, including CVE-2026-20127, a CVSS 10 authentication bypass exploited in the wild since 2023. Successful exploitation allows unauthenticated remote attackers to gain administrative privileges, manipulate network configurations, and establish persistent access, sometimes by downgrading software to exploit older vulnerabilities.

Sens:ImmediateConf:highAnalyzed:2026-03-19reports

Authors: CERT-EU

ActorsUnidentified threat actors exploiting CVE-2026-20127 in the wild since 2023
CVE-2026-20127Authentication BypassSD-WANCisco

Source:CERT-EU

IOCs · 1
  • filename
    /var/log/auth.logAuthentication log file to monitor for unauthorized publickey acceptance for the vmanage-admin account.

Key Takeaways

  • Cisco released advisories for multiple critical and high-severity vulnerabilities in Catalyst SD-WAN Controller and Manager.
  • CVE-2026-20127 (CVSS 10) is an authentication bypass vulnerability that has been exploited in the wild since 2023.
  • Successful exploitation allows unauthenticated remote attackers to gain administrative privileges and manipulate network configurations.
  • Threat actors have been observed downgrading SD-WAN Manager software to exploit older vulnerabilities (CVE-2022-20775) for persistence.
  • Immediate patching and restriction of external management interfaces are strongly recommended.

Affected Systems

  • Cisco Catalyst SD-WAN Controller (formerly SD-WAN vManager)
  • Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage)
  • Cisco Catalyst SD-WAN versions <20.9, 20.9-20.9.8.2, 20.11, 20.12.5-20.12.5.3, 20.12.6-20.12.6.1, 20.13, 20.14, 20.15-20.15.4.2, 20.16, 20.18-20.18.2.1

Vulnerabilities (CVEs)

  • CVE-2026-20127
  • CVE-2026-20129
  • CVE-2026-20126
  • CVE-2026-20133
  • CVE-2026-20122
  • CVE-2026-20128
  • CVE-2022-20775

Attack Chain

Threat actors exploit CVE-2026-20127 by sending crafted requests to the Cisco Catalyst SD-WAN Controller, bypassing peering authentication. This grants them an internal, high-privileged, non-root user account with NETCONF access to manipulate the SD-WAN fabric. To establish persistence and escalate privileges, attackers have been observed downgrading the SD-WAN Manager software to a version vulnerable to CVE-2022-20775, allowing them to create local accounts.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The advisory provides manual log hunting guidance for auth.log and peering events, but does not include structured detection rules.

Detection Engineering Assessment

EDR Visibility: None — Cisco SD-WAN controllers and managers are network appliances that typically do not support standard EDR agent installations. Network Visibility: Medium — Exploitation occurs over API and management interfaces (HTTPS/SSH/NETCONF), which may be encrypted, but anomalous peering connections and management access from unexpected IPs can be detected via network telemetry. Detection Difficulty: Moderate — Requires centralizing appliance syslogs and establishing strict baselines for authorized management IPs and peering events to spot anomalies.

Required Log Sources

  • Syslog
  • Authentication logs (/var/log/auth.log)
  • Cisco SD-WAN peering event logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for successful SSH public key authentications for the 'vmanage-admin' user originating from IP addresses outside of known administrative subnets.Authentication logs (auth.log)Initial AccessLow to Medium (depends on strictness of IP baselining)
Monitor for unexpected software downgrade events on SD-WAN Manager appliances, which may indicate an attempt to reintroduce CVE-2022-20775.Appliance audit/system logsDefense EvasionLow (downgrades are rare and usually scheduled)
Identify new peering events (control-connection-state-change) involving unknown public IPs or unexpected peer types.Cisco SD-WAN event logsCommand and ControlMedium (requires accurate topology documentation)

Control Gaps

  • Lack of EDR visibility on proprietary network appliances
  • Exposure of management interfaces to the internet

Key Behavioral Indicators

  • Accepted publickey for vmanage-admin
  • control-connection-state-change new-state:up
  • Software version downgrade events

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Apply the latest security updates provided by Cisco for Catalyst SD-WAN Manager and Controller.
  • Capture forensic evidence and review SD-WAN configurations for unauthorized changes before patching if compromise is suspected.

Infrastructure Hardening

  • Identify and restrict external access to SD-WAN management interfaces (HTTPS, SSH, API) and control plane interfaces.
  • Remove direct internet exposure and limit access to dedicated management networks.

User Protection

  • Audit local accounts on SD-WAN appliances and remove any unauthorized accounts created by threat actors.

Security Awareness

  • Ensure network administrators are aware of the risks of exposing management interfaces to the internet and adhere to strict access control policies.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1078 - Valid Accounts
  • T1068 - Exploitation for Privilege Escalation
  • T1562 - Impair Defenses
  • T1098 - Account Manipulation

Additional IOCs

  • File Paths:
    • /var/log/auth.log - Target log file for SSH authentication auditing
  • Other:
    • vmanage-admin - Targeted user account for unauthorized publickey authentication

Related