Alert - AL26-004 - Critical vulnerability affecting Cisco Catalyst SD-WAN - CVE-2026-20127

Number: AL26-004
Date: February 25, 2026

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested

Details

The Canadian Centre for Cyber Security (Cyber Centre) is aware of active exploitation of Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) devices^{Footnote 1Footnote 2}. In response to the Cisco security advisory released on February 25, 2026^{Footnote 3}, the Cyber Centre issued AV26-166⁴ on February 25, 2026.

Tracked as CVE-2026-20127^{Footnote 5}, this vulnerability is a critical Improper Authentication vulnerability (CWE-287)^{Footnote 6} affecting the peering authentication process of Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). It could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.

Cisco Catalyst SD-WAN Controller systems that have internet-exposed management or control planes and have ports exposed are at risk of compromise.

This vulnerability affects the following deployment types:

• On-Prem Deployment
• Cisco Hosted SD-WAN Cloud - Cisco Managed
• Cisco Hosted SD-WAN Cloud - FedRAMP Environment
• Cisco Hosted SD-WAN Cloud

The Cyber Centre is aware of incidents involving CVE-2026-20127. The reports indicate that malicious rogue peers were added to the configuration of affected organization’s SD-WAN. This allowed multiple follow-up actions including administrative access, persistence and long-term access to SD-WAN networks.

Suggested actions

The Cyber Centre recommends that organizations upgrade affected Cisco Catalyst SD-WAN instances to a fixed version:

The Cyber Centre also recommends organizations to:

• Collect artifacts, including virtual snapshots and logs from SD-WAN technology
• Fully patch SD-WAN technology including those that are affected by CVE-2026-20127
• Hunt for evidence of compromise as detailed in the Hunt Guide^{Footnote 7}; and
• Implement Cisco’s SD-WAN hardening guidance^{Footnote 8}

Cisco’s Catalyst SD-WAN hardening guidance should be reviewed in full and includes advice on the following:

• Network perimeter controls: Ensure control components are behind a firewall, isolate VPN 512 (management) interfaces, and use IP blocks for manually provisioned edge IPs.
• SD-WAN Manager access: Replace the self-signed certificate for the web user interface
• Control and data plane security: Use pairwise keying
• Session timeout: Limit to the shortest period possible
• Logging: Forward to a remote syslog server

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre's Top 10 IT Security Actions with an emphasis on the following topics^{Footnote 9}.

• Consolidating, monitoring, and defending internet gateways
• Patch operating systems and applications
• Harden operating systems and applications
• Isolate web-facing applications

Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal, or email contact@cyber.gc.ca.

References