Critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Manager allowing unauthenticated remote attackers to gain administrative privileges. CISA has issued Emergency Directive ED 26-03 due to active exploitation in the wild.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-02-25
Added to CISA KEV: 2026-02-25 0 DAY BETWEEN CVE AND KEV
CVE-2026-20137: In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the "admin" or "power" Splunk roles could bypass. the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. They can bypass the safeguards by exploiting a path traversal vulnerability.
The Canadian Centre for Cyber Security (Cyber Centre) is aware of active exploitation of Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) devices 1 2. In response to the Cisco security advisory released on February 25, 2026 3, the Cyber Centre issued AV26-166 4 on February 25, 2026. Tracked as CVE-2026-20127 Footnote 5, this vulnerability
Cisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges.
... vulnerabilities identified by Cisco: CVE-2026-20127 – an authentication bypass vulnerability that allows an unauthenticated, remote attacker ...
Malicious cyber threat actors are targeting SD-WANs of organisations, globally. These actors exploited a Cisco Catalyst SD-WAN controller authentication bypass vulnerability, CVE-2026-20127. After exploitation of this vulnerability the malicious actors add a rogue peer, and eventually gain root access to establish long-term persistence in SD-WANs.