Security News 9 min read Feb 25, 2026

CVE-2026-20127: Cisco SD-WAN Zero-Day Authentication Bypass — CVSS 10.0, Actively Exploited Since 2023

A maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller and Manager has been exploited as a zero-day for over three years. CISA has issued Emergency Directive 26-03. Here's what happened, who's affected, and why standing admin access to network infrastructure is the real vulnerability.

Executive Summary

On February 25, 2026, Cisco disclosed CVE-2026-20127 — a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller (formerly vManage) and SD-WAN Manager. Rated CVSS 10.0 (maximum severity), the flaw allows an unauthenticated remote attacker to completely bypass authentication and gain full administrative control of SD-WAN infrastructure.

This is not a theoretical risk. The Australian Cyber Security Centre (ACSC), which discovered the vulnerability, confirmed that threat actor UAT-8616 has been actively exploiting it since at least 2023 — meaning it existed as a zero-day for over three years before public disclosure. Attackers used the flaw to inject malicious rogue peers into SD-WAN fabrics, gain persistent administrative access, and establish long-term footholds in enterprise networks.

10.0
CVSS score — maximum severity
3+ Years
exploited as a zero-day before disclosure
48 Hours
CISA patch deadline for federal agencies

What Happened: Timeline of Events

The timeline of CVE-2026-20127 reveals the extraordinary duration of exploitation and the urgency of the response once the vulnerability was publicly acknowledged.

Date Event
~2023 (estimated) Threat actor UAT-8616 begins exploiting CVE-2026-20127 in the wild, adding rogue peers to SD-WAN networks for persistent access
Late 2025 Australian Cyber Security Centre (ACSC) detects suspicious activity tied to SD-WAN controller compromise during an investigation
February 25, 2026 Cisco publishes security advisory cisco-sa-sdwan-auth-bypass-2026 disclosing CVE-2026-20127 with CVSS 10.0 rating
February 25, 2026 CISA adds CVE-2026-20127 to the Known Exploited Vulnerabilities (KEV) catalog
February 26, 2026 CISA issues Emergency Directive 26-03 requiring federal agencies to patch by February 27
February 26, 2026 Canadian Centre for Cyber Security, Rapid7, and Tenable issue independent advisories confirming active exploitation
February 27, 2026 CISA patch deadline for all federal civilian agencies

How the Attack Works

CVE-2026-20127 targets the authentication mechanism of the Cisco Catalyst SD-WAN Controller's management interface. The vulnerability exists because the controller fails to properly validate authentication tokens in certain API endpoints, allowing a remote attacker to craft requests that bypass authentication entirely.

Once an attacker bypasses authentication, they gain full administrative privileges — equivalent to a legitimate administrator. From this position, they can reconfigure the entire SD-WAN fabric, add or modify devices, intercept traffic, and deploy persistent backdoors.

CVE-2026-20127: SD-WAN Authentication Bypass Attack Flow 1. Attacker (UAT-8616) Unauthenticated remote access via management API 2. Auth Bypass (CVE-2026-20127) Crafted API requests skip token validation entirely 3. Full Admin Access Complete control of SD-WAN Controller/Manager 4a. Rogue Peer Injection Adds malicious devices to SD-WAN fabric as trusted peers Survives credential resets 4b. Traffic Interception Reroutes or mirrors traffic through attacker-controlled nodes Enables long-term espionage 4c. Configuration Tampering Modifies policies, ACLs, and routing to maintain access Disables logging / alerting Impact: Full Enterprise SD-WAN Compromise Persistent, stealthy control of network routing, traffic, and infrastructure for 3+ years Defense: Eliminate Standing Admin Access JIT access + MFA + session recording would have detected and limited this attack No standing admin session = no session to hijack or bypass

CVE-2026-20127 enables full unauthenticated takeover of SD-WAN infrastructure — the attack chain from initial bypass to persistent network compromise

UAT-8616: The Threat Actor

The Australian Cyber Security Centre attributed the exploitation to a threat actor tracked as UAT-8616. While attribution details remain limited, the operational profile suggests a sophisticated, likely state-sponsored group:

  • Patience: The group maintained access for over three years without detection in some environments, indicating advanced operational security
  • Targeting: Focused on SD-WAN infrastructure specifically — the networking backbone — rather than individual endpoints
  • Technique: Adding rogue peers to the SD-WAN fabric rather than deploying traditional malware, making detection through endpoint security tools virtually impossible
  • Persistence: Rogue peer injection survives password rotations, certificate renewals, and most standard incident response procedures that focus on credential hygiene

Who Is Affected?

Any organization running Cisco Catalyst SD-WAN Controller (formerly vManage) or Cisco SD-WAN Manager with the management interface exposed — whether to the internet or an internal management network — is potentially vulnerable.

Product Affected Versions Fixed Version Notes
Cisco Catalyst SD-WAN Controller All versions prior to 20.12.4 20.12.4+ Primary target of active exploitation
Cisco SD-WAN Manager All versions prior to 20.12.4 20.12.4+ Same underlying auth mechanism
Cisco SD-WAN vManage (legacy) All versions prior to EOL migration Migrate to Catalyst SD-WAN End-of-life; upgrade path required

No Workarounds Available

Cisco has confirmed there are no workarounds for CVE-2026-20127. The only mitigation is applying the patched software version. Restricting management interface access via ACLs can reduce exposure, but does not eliminate the vulnerability — particularly for organizations where the management network is already compromised or where lateral movement is possible.

Detection and Indicators of Compromise

Given that exploitation has been ongoing since 2023, organizations must assume potential compromise and conduct thorough forensic review — not just patch and move on.

  • Audit SD-WAN peer list: Review all device entries in the SD-WAN controller. Look for unrecognized or recently added peers that don't correspond to legitimate infrastructure deployments.
  • Review admin session logs: Examine authentication logs for sessions that lack corresponding login events. CVE-2026-20127 bypasses auth, so admin actions without matching login records are a red flag.
  • Check configuration change history: Compare current SD-WAN policies and routing configurations against known-good baselines. Look for unauthorized ACL changes, policy modifications, or new device templates.
  • Inspect API access logs: Look for unusual API call patterns, particularly to endpoints responsible for device onboarding, certificate management, and peer configuration.
  • Network traffic analysis: Monitor for unexpected tunnel establishment, traffic rerouting, or data exfiltration through SD-WAN overlay networks.
  • Certificate anomalies: Check for certificates issued to devices not in your inventory — rogue peers require certificates that may not match your PKI hierarchy.

Patching Alone Is Not Sufficient

If your SD-WAN controller was exposed at any point since 2023, patching closes the front door but does not evict an attacker who is already inside. Rogue peers added before patching will persist. A full compromise assessment — including peer inventory audit, configuration baseline comparison, and certificate validation — is required.

Why Three Years of Undetected Exploitation?

CVE-2026-20127 persisted as a zero-day for over three years. That fact alone warrants examination. Several factors enabled this extended exploitation window:

  • Network infrastructure blind spots: Most organizations have mature endpoint detection and response (EDR) on servers and workstations, but SD-WAN controllers and network management planes are often outside the scope of these tools. They exist in a monitoring gap between network operations and security operations.
  • Standing administrative access: SD-WAN controllers typically have always-on administrative accounts with static credentials or long-lived API tokens. There is no session to hijack because the session never ends — the admin access simply exists, permanently.
  • Rogue peers blend in: In large SD-WAN deployments with hundreds or thousands of edge devices, adding a handful of rogue peers is extremely difficult to detect without rigorous inventory reconciliation — a practice few organizations perform continuously.
  • Limited logging and auditing: SD-WAN controllers often have minimal audit logging compared to cloud infrastructure. Without session recording, MFA enforcement, or behavioral anomaly detection on the management plane, exploitation leaves few traces.

Immediate Response Playbook

Priority Actions (Next 24-48 Hours)

1. Apply Cisco patch (version 20.12.4 or later) to all SD-WAN Controller and Manager instances immediately.

2. Restrict management interface access via ACLs to known management stations while patching is in progress.

3. Conduct a full peer inventory audit — compare every device in your SD-WAN fabric against your hardware and VM inventory.

4. Review all admin sessions and configuration changes from the past 90 days at minimum. Investigate any sessions without corresponding login events.

5. Rotate all administrative credentials, API tokens, and certificates associated with the SD-WAN controller.

6. Engage your IR team or an external forensics firm if you find any indicators of compromise.

The Deeper Problem: Standing Access to Network Infrastructure

CVE-2026-20127 is devastating on its own, but it exposes a systemic issue in how organizations manage access to network infrastructure. The blast radius of this vulnerability was amplified by the way SD-WAN controllers are typically administered:

Traditional SD-WAN Access Risk Modern Access Management
Shared admin accounts (admin/admin) No individual accountability Individual identity-based access with SSO
Always-on administrative sessions Permanent attack surface Just-in-Time access that expires automatically
No MFA on management interface Auth bypass = full compromise MFA enforced on every access request
No session recording Exploitation goes undetected for years Full session recording and anomaly detection
Static API tokens Tokens never expire, stolen tokens = persistent access Short-lived, scoped credentials per session
Management interface on broad network Wider attack surface Zero-trust network access to management plane

Had organizations employed JIT access policies for their SD-WAN controllers, the impact of CVE-2026-20127 would have been dramatically different. With no standing administrative sessions, an authentication bypass has nothing to bypass — there's no persistent session to hijack, no always-on token to abuse. Access would need to be requested, approved, and recorded for each administrative action.

Lessons for Access Management

CVE-2026-20127 reinforces several core principles that should guide how organizations approach infrastructure access — not just for SD-WAN, but for all critical network infrastructure:

  • Eliminate standing admin access: Network infrastructure controllers should never have always-on admin sessions. JIT access ensures credentials exist only when actively needed and expire immediately after.
  • Enforce MFA everywhere — especially network management: An authentication bypass vulnerability is far less damaging when every access request requires a second factor that the attacker doesn't possess.
  • Record all administrative sessions: If UAT-8616 had been adding rogue peers through a recorded session, the compromise would have been detected in days, not years.
  • Treat network infrastructure as Tier-0: SD-WAN controllers manage the network backbone. Compromise here means compromise everywhere. Apply the highest level of access control — stricter than what you apply to individual servers.
  • Continuous inventory reconciliation: Automated comparison of configured devices against known inventory would have flagged rogue peers immediately.
  • Assume breach for infrastructure that's been exposed: If your SD-WAN controller management interface has been reachable at any point since 2023, treat it as compromised until proven otherwise.

Your Network Infrastructure Deserves Zero Standing Access

CVE-2026-20127 proves that standing admin access to network controllers is a liability — three years of undetected exploitation because the admin session was always on. OnePAM enforces Just-in-Time access, MFA, and full session recording for every connection to your critical infrastructure.

Start Free Trial

Industry Response

The severity of CVE-2026-20127 triggered an unusually rapid and coordinated response across multiple cybersecurity agencies and vendors:

  • CISA: Added to the Known Exploited Vulnerabilities catalog on the day of disclosure and issued Emergency Directive 26-03 the following day — requiring federal agencies to patch within 48 hours, one of the shortest deadlines ever imposed.
  • Canadian Centre for Cyber Security: Published an advisory urging all Canadian organizations using Cisco SD-WAN to patch immediately and conduct compromise assessments.
  • Rapid7: Published a detailed technical analysis confirming independent verification of the vulnerability and its exploitability.
  • Tenable: Released detection plugins and published an advisory emphasizing the need for post-patch forensic review due to the extended exploitation timeline.

The uniform urgency across these organizations reflects the critical nature of the vulnerability: CVSS 10.0, active exploitation, no workarounds, and a threat actor with years of operational experience exploiting it.

Conclusion: Network Access Is the New Perimeter

CVE-2026-20127 is a textbook case of why network infrastructure access management cannot be an afterthought. A single authentication bypass in an SD-WAN controller gave attackers persistent, undetected control over enterprise network fabrics for over three years. The vulnerability is severe — but the real failure is the access model that allowed exploitation to persist invisibly.

Standing administrative access, shared credentials, absent MFA, and no session recording created the perfect conditions for UAT-8616 to operate. Modern access management — built on JIT provisioning, strong identity verification, and comprehensive session auditing — doesn't just reduce the blast radius of vulnerabilities like this. It makes the exploitation itself visible, bounded, and short-lived.

Patch CVE-2026-20127 immediately. Then ask the harder question: if the next zero-day hits your network infrastructure tomorrow, would you even know?

CVE Cisco SD-WAN Zero-Day Authentication Bypass CISA
OnePAM Team
Security & Infrastructure Team

Keep Reading