Vulnerability in Cisco Catalyst SD-WAN Controller; Cisco Talos is tracking the active exploitation of CVE-2026-20127.

Summary :

Cisco has released a security advisory addressing critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. The vulnerability has reportedly been exploited in zero-day attacks since 2023.

Talos clusters this exploitation and subsequent post-compromise activity as “UAT-8616” whom we assess with high confidence is a highly sophisticated cyber threat actor.

OEM	Cisco
Severity	Critical
CVSS Score	10.0
CVEs	CVE-2026-20127
POC Available	No
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview 

The flaw exists in the peering authentication mechanism and allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on affected systems.  

Successful exploitation may allow attackers to create rogue SD-WAN peers and gain trusted access to the management or control plane of enterprise networks. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
SD-WAN Controller Authentication Bypass	CVE-2026-20127	Cisco Catalyst SD-WAN Controller & Manager	Critical	Cisco Fixed Releases

Technical Summary 

CVE-2026-20127 is a critical authentication bypass vulnerability caused by improper implementation of the peering authentication mechanism in Cisco Catalyst SD-WAN systems.  

An unauthenticated attacker can exploit this vulnerability by sending specially crafted requests to affected systems, allowing them to bypass authentication controls and gain administrative-level access.  

Threat actors have reportedly used this zero-day vulnerability since 2023 to compromise SD-WAN infrastructure and establish unauthorized access.  

Successful exploitation may result in: 

• Unauthorized administrative access 

• Network infrastructure compromise 

• Creation of rogue SD-WAN devices 

• Traffic monitoring or manipulation 

• Persistent network access 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2026-20127	Cisco Catalyst SD-WAN Controller & Manager	Authentication bypass due to faulty peering authentication	Full administrative compromise

Devices affected  

The vulnerability impacts: 

• Google Chrome on Windows 

• Google Chrome on macOS 

• Google Chrome on Linux 

Chromium-based browsers may also be affected depending on version alignment. 

Remediation:  

Upgrade immediately to Cisco SD-WAN software versions containing security fixes as provided in Cisco advisory cisco-sa-sdwan-rpa-EHchtZk.  

Organizations should prioritize patching internet-facing SD-WAN controllers. 

If immediate patching is not possible, implement the following interim controls: 

1. Restrict access to SD-WAN management interfaces to trusted IP addresses only. 

2. Monitor authentication logs for unauthorized access attempts. 

3. Disable unnecessary external connectivity to SD-WAN controllers. 

4. Monitor for unknown SD-WAN peers or abnormal configuration changes. 

Conclusion: 
CVE-2026-20127 represents a critical infrastructure vulnerability affecting Cisco SD-WAN deployments worldwide. The flaw allows unauthenticated attackers to gain administrative access and has been actively exploited for several years before public disclosure. 

Organizations using Cisco SD-WAN solutions should apply patches immediately and monitor for signs of compromise, especially in internet-exposed environments. 

References:  

• https://www.securityweek.com/google-patches-first-actively-exploited-chrome-zero-day-of-2026/ 

• https://chromereleases.googleblog.com/ 

https://blog.talosintelligence.com/uat-8616-sd-wan