⚠ Actively exploited
Added to CISA KEV on 2026-02-25. Federal agencies required to patch by 2026-02-27. Required action: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available..

CVE-2026-20127Improper Authentication in Cisco Catalyst Sd-wan Manager

CWE-287Improper Authentication13 documents12 sources
Severity
10.0CRITICALNVD
EPSS
39.7%
top 2.68%
CISA KEV
KEV
Added 2026-02-25
Due 2026-02-27
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Cisco Catalyst Sd-wan ManagerCisco Sd-wan Vsmart ControllerCisco Catalyst Sd-wan Manager
Timeline
PublishedFeb 25
KEV addedFeb 25
Latest updateFeb 26
KEV dueFeb 27
CISA Required Action: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Description

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an af

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages3 packages

NVDcisco/catalyst_sd-wan_manager20.1120.12.5.3+4
CVEListV5cisco/cisco_catalyst_sd-wan_manager335 versions+334
NVDcisco/sd-wan_vsmart_controller20.1120.12.5.3+4

🔴Vulnerability Details

3
CVEList
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability2026-02-25
GHSA
GHSA-p4cq-46q3-jr7w: A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly2026-02-25
VulnCheck
Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability2026

💥Exploits & PoCs

1
Metasploit
Cisco Catalyst SD-WAN Controller Authentication Bypass

📋Vendor Advisories

2
Cisco
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability2026-02-26
CISA
Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability2026-02-25

🕵️Threat Intelligence

6
Talos
Active exploitation of Cisco Catalyst SD-WAN by UAT-86162026-02-25
Talos
Active exploitation of Cisco Catalyst SD-WAN by UAT-86162026-02-25
Bleepingcomputer
Critical Cisco SD-WAN bug exploited in zero-day attacks since 20232026-02-25
Tenable
CVE-2026-20127 Zero-Day Auth Bypass Exploited2026-02-25
Threat Intel
UAT-8616
CVE-2026-20127 — Improper Authentication in Cisco | cvebase