Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Active Exploitation of Critical Vulnerability in Cisco Catalyst SD-WAN

26 February 2026

Cisco has released a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN. Users and administrators of affected products are advised to upgrade to a fixed release immediately.

Background

Cisco has released security updates to address a critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). The vulnerability has a Common Vulnerability Scoring System (CVSS v3.1) score of 10 out of 10.

Impact 

Successful exploitation of the authentication bypass vulnerability could allow an unauthenticated remote attacker to obtain administrative privileges on an affected system. This access enables manipulation of SD-WAN fabric configurations, insertion of rogue peers, and unauthorised control of network traffic. Attackers could then establish encrypted malicious connections and move laterally across organisational infrastructure.

Known Exploitation

This vulnerability is reportedly being exploited in the wild.

Affected Products

This vulnerability affects the following deployment types:

  • On-Prem Deployment

  • Cisco Hosted SD-WAN Cloud

  • Cisco Hosted SD-WAN Cloud - Cisco Managed

  • Cisco Hosted SD-WAN Cloud - FedRAMP Environment

This vulnerability affects the following Cisco Catalyst SD‑WAN versions:

  • All releases earlier than 20.9 

  • 20.9.x prior to 20.9.8.2

  • 20.11

  • 20.12.x prior to 20.12.5.3 / 20.12.6.1

  • 20.13 and 20.14

  • 20.15.x prior to 20.15.4.2

  • 20.16

  • 20.18.x prior to 20.18.2.1

Recommendation

Users and administrators of affected products are advised to upgrade to a fixed release immediately and review systems for indicators of compromise (IoCs). After patching and checking for IoCs, environments should be hardened to reduce exposure.

For detailed guidance, please refer to Cisco’s official advisory here.

Indicators of Compromise 

Possible IOCs to support immediate detection, hunting, and containment:

  • Log entries in /var/log/auth.log showing Accepted publickey for vmanage-admin from unknown or unauthorised IP addresses

  • Unexpected control‑connection peering events involving vmanage peers from unrecognised IP addresses or at unusual times

For additional details and guidance, please refer to Cisco’s official advisory here.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/

https://nvd.nist.gov/vuln/detail/CVE-2026-20127

Back to top