A Perfect 10 — And It's Been Exploited for Three Years
CVE-2026-20127 is the kind of vulnerability that keeps network defenders up at night. Rated CVSS 10.0 — the maximum possible severity — it allows an unauthenticated remote attacker to bypass authentication entirely and obtain full administrative privileges on affected Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) systems.
What makes this worse: evidence confirms the vulnerability has been actively exploited in the wild since at least 2023, meaning adversaries have had years of access before the bug was even publicly identified.
Attack Chain
The exploitation follows a two-stage approach:
| Stage | Action | Result |
|---|---|---|
| 1. Auth Bypass | Attacker sends crafted request exploiting CVE-2026-20127 | Full admin access to SD-WAN controller/manager |
| 2. Privilege Escalation | Attacker downgrades software to a version vulnerable to CVE-2022-20775 | Root-level system access |
This chaining technique — using a zero-day to land, then downgrading to exploit a known bug — demonstrates sophisticated operational tradecraft. The attackers gain complete control of the SD-WAN fabric, potentially allowing them to intercept, redirect, or manipulate all network traffic flowing through the managed infrastructure.
Five Eyes Emergency Response
On February 25, 2026, CISA published Emergency Directive ED 26-03 alongside a joint advisory co-authored by all Five Eyes intelligence agencies:
- NSA (United States)
- NCSC-UK (United Kingdom)
- Cyber Centre (Canada)
- ASD's ACSC (Australia)
- NCSC-NZ (New Zealand)
The joint advisory includes a comprehensive threat hunting guide to help organizations detect signs of compromise, along with hardening recommendations for Cisco SD-WAN deployments in both on-premises and cloud configurations.
Federal Agency Requirements (ED 26-03)
| Deadline | Requirement |
|---|---|
| February 26, 2026 | Provide a catalog of all in-scope SD-WAN systems |
| March 5, 2026 | Submit detailed inventory with version and configuration data |
| March 12, 2026 | Complete patching or apply mitigations to all affected systems |
| Ongoing | Run threat hunting playbook and report any indicators of compromise |
Affected Products
The vulnerability impacts:
- Cisco Catalyst SD-WAN Controller (formerly Cisco vSmart Controller)
- Cisco Catalyst SD-WAN Manager (formerly Cisco vManage)
- Both on-premises and SD-WAN Cloud deployments
Cisco has released patches and urges all customers to update immediately. Organizations that cannot patch should isolate management interfaces from the internet and restrict access to trusted networks only.
Why This Matters
SD-WAN controllers sit at the heart of modern enterprise networking. Compromising one gives an attacker visibility into — and control over — traffic routing across an organization's entire wide-area network, including branch offices, data centers, and cloud connections.
The fact that this exploitation has been ongoing since 2023 suggests that the scope of compromise across government and enterprise networks could be extensive. The Five Eyes coordination signals that this is not a theoretical risk — it's an active, ongoing campaign affecting organizations globally.
What You Should Do
- Inventory all Cisco SD-WAN Controller and Manager instances immediately
- Patch to the latest Cisco-recommended version
- Hunt for indicators of compromise using the Five Eyes threat hunting guide
- Restrict management interface access to trusted networks only
- Monitor for unusual administrative activity, configuration changes, or software downgrades
- Report any suspected compromise to CISA at cisa.gov/report