Maximum‑severity zero day in Cisco Catalyst SD‑WAN now patched

Threat summary

On February 25, 2026, Cisco disclosed a critical zero day affecting Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage).

Cisco confirmed limited exploitation prior to disclosure and credited the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) with reporting the vulnerability. Cisco Talos separately documented exploitation activity linked to the threat activity cluster, UAT-8616.

The flaw, tracked as CVE-2026-20127, carries a Common Vulnerability Scoring System (CVSS) score of 10.0 and enables unauthenticated remote access to high‑privilege internal accounts. This issue comes from a failure in the authentication process used when Cisco Catalyst SD-WAN Controller and Manager establish trust relationships with other components.

Because that process is not working correctly, a threat actor can send malicious requests that the system accepts as trusted. This gives the adversary a path to bypass authentication and log in using an internal administrative account.

With that access, the threat actor can reach the Network Configuration Protocol (NETCONF) interface, which is used to push routing and policy changes across the SD-WAN environment. This level of access allows one to modify SD-WAN fabric configuration, alter routing, disrupt connectivity, or pivot deeper into the environment.

This vulnerability affects the following deployment types:

• On-Prem Deployment
• Cisco Hosted SD-WAN Cloud
• Cisco Hosted SD-WAN Cloud - Cisco Managed
• Cisco Hosted SD-WAN Cloud - FedRAMP Environment

Analysis & recommendations

Cisco’s advisory notes that the vulnerability is remotely exploitable without authentication, but there are still some limitations on how a threat actor can use it.

The adversary needs network access to the SD-WAN Controller or Manager over the relevant ports, which generally means the system is exposed to the internet or reachable from an internal foothold. Exploitation also requires sending crafted requests that take advantage of the broken peering authentication process. The access gained is a high-privilege internal account rather than full root, but it's still enough to reach NETCONF and change SD-WAN configuration.

Even with these constraints, the impact from exploitation could be severe because it enables direct manipulation of the SD-WAN control plane.

Cisco Catalyst SD-WAN is a core networking platform used to manage and secure traffic across distributed sites. The Controller and Manager components drive routing decisions, enforce policy, and push configuration across the environment. Because these systems sit at the center of the control plane, any unauthorized access carries significant operational risk. This makes the issue high-risk, and affected systems should be patched promptly.

The Canadian Centre for Cyber Security outlines several actions that reduce risk exposure, which include:

• Applying all available patches including those addressing CVE-2026-20127
• Collecting relevant artifacts such as virtual snapshots and SD-WAN logs
• Reviewing environments for signs of compromise using the procedures in the Cisco Catalyst SD-WAN threat hunting guide
• Applying Cisco’s SD-WAN hardening guidance to limit attack surface and strengthen configuration baselines

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up