CVE-2026-20127 is a critical vulnerability affecting
Cisco Catalyst SD-WAN systems [2][8]. It is an
authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges
[3][4].
Evidence of Active Exploitation:
There is
evidence of active exploitation in the wild [3][7]. Threat actors have been observed using this vulnerability for initial access
[7], and malicious rogue peers have been reported
[8].
Attack Vectors and Exploitation Methods:
The attack vector is
network-based, meaning it can be exploited remotely without physical access
[1], and specifically targets Cisco Catalyst SD-WAN Controller
[3][9]. After exploiting the authentication bypass, attackers can add a rogue peer, gain root access, and establish long-term persistence
[5]. The exploitation involves sending crafted requests
[10].
Targeted Attacks:
While specific details on targeted attacks are not extensively detailed, the nature of the vulnerability and its exploitation suggests it could be used in sophisticated attacks. The Canadian Centre for Cyber Security has issued alerts regarding this vulnerability
[2].
CISA Known Exploited Vulnerabilities Status:
CISA has issued an
Emergency Directive (ED 26-03) requiring federal agencies to mitigate vulnerabilities in Cisco SD-WAN systems, including CVE-2026-20127
[4][6]. This directive underscores the severity and active exploitation of this vulnerability.
Technical Details about Internet Exploitability:
The vulnerability allows an
unauthenticated, remote attacker to bypass authentication and gain administrative privileges
[3][4]. This means that systems with internet-facing Cisco SD-WAN applications or services are potentially vulnerable if not properly secured. The exploitation does not require significant complexity or special conditions
[1] and can be performed over a network
[1].
-
CVE-2026-20137 Security Vulnerability & Exploit Details
CVE-2026-20137: In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the "admin" or "power" Splunk roles could bypass. the SPL safeguards…
-
AL26-004 - Critical vulnerability affecting Cisco Catalyst SD-WAN - CVE ...
The Canadian Centre for Cyber Security (Cyber Centre) is aware of active exploitation of Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) devices 1 2. In response to the Cisco security advisory released on February 25, 2026 3, the Cyber Centre issued AV26-166 4 on February 25, 2026. Tracke…
-
Active exploitation of Cisco Catalyst SD-WAN by UAT-8616
Cisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges.
-
ED 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems
... vulnerabilities identified by Cisco: CVE-2026-20127 – an authentication bypass vulnerability that allows an unauthenticated, remote attacker ...
-
Exploitation of Cisco SD-WAN appliances - Cyber.gov.au
Malicious cyber threat actors are targeting SD-WANs of organisations, globally. These actors exploited a Cisco Catalyst SD-WAN controller authentication bypass vulnerability, CVE-2026-20127. After exploitation of this vulnerability the malicious actors add a rogue peer, and eventually gain root acce…