A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Security readout for executives and security teams
Plain-English summary
CVE-2026-20127 is a critical Cisco Catalyst SD-WAN authentication bypass. A remote unauthenticated attacker could gain high-privileged internal access and change SD-WAN fabric configuration. CISA lists it in KEV, so active exploitation is supported by a cited government source.
Executive priority
Treat as emergency priority for any Cisco Catalyst SD-WAN environment. It is critical severity, remotely exploitable without credentials, and listed in CISA KEV. The business risk is unauthorized control of SD-WAN configuration, which can disrupt or redirect enterprise connectivity.
Technical view
The flaw is improper peering authentication in Cisco Catalyst SD-WAN Controller, Manager, and Validator. Crafted requests can bypass authentication and log in as an internal high-privileged non-root user. That access can reach NETCONF and manipulate SD-WAN network configuration. CVSS is 10.0: network-reachable, low complexity, no privileges, no user interaction.
Likely exposure
Organizations running affected Cisco Catalyst SD-WAN Controller, Manager, or Validator deployments are exposed, especially where SD-WAN control-plane services are reachable from untrusted networks. The provided affected-version data is extensive but incomplete for all named components, so confirm against Cisco’s advisory and local software inventory.
Exploitation context
CISA KEV listing indicates known exploitation. The source bundle does not provide exploit details, actor attribution, or exploitation scale. Because exploitation can grant administrative-level control over SD-WAN configuration, compromise could affect routing, segmentation, availability, and traffic handling across the fabric.
Researcher notes
The bundle supports CWE-287, CVSS 10.0, unauthenticated remote access, and KEV status. It does not include fixed-version details or Cisco’s full product matrix beyond the supplied affected Manager versions. Avoid assuming exploit mechanics beyond crafted requests and authentication bypass described by Cisco/CVE sources.
Mitigation direction
Check Cisco’s advisory for fixed releases and component-specific remediation guidance.
Prioritize upgrades or vendor-directed mitigations for all exposed SD-WAN controllers, managers, and validators.
Restrict management and control-plane access to trusted networks only.
Review SD-WAN administrative accounts and configuration integrity after remediation.
Follow CISA KEV remediation timelines if applicable to your organization.
Validation and detection
Inventory Cisco Catalyst SD-WAN Controller, Manager, and Validator versions.
Compare installed versions against Cisco’s advisory and affected-version data.
Confirm whether devices are reachable from untrusted networks.
Review authentication, NETCONF, and configuration-change logs for suspicious activity.
Verify remediation by confirming upgraded or mitigated versions in production.
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-287: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
Exploitation: activeAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-287 · source CWE mapping
Improper Authentication
Improper Authentication represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.