Brand ClaimErleben, was verbindet

Information on the use of cookies

This website uses only the technically necessary cookies to provide you with the best possible service.
Your session is identified by a so-called session cookie in order to maintain your language choice and to allow a comfortable form use. Furthermore, a login is only possible by using a cookie.
Further information can be found in the data protection information.

Accept

Advisory 2026-0508 - Cisco Catalyst SD-WAN Manager and SD-WAN Controller: Multiple Vulnerabilities

Achtung: You can now also find information from the Vulnerability Advisory Service in the CTI portal!
The CTI portal is available at the following address: https://cti-portal.telekom.net/advisories/2026-0508
Notice: This advisory is by exception shown completely public. You will regularly receive details on vulnerability information as a customer via your login or through our daily advisory e-mail.
5
Attack probability
high
5
Potential damage
high
remote anonymous attackerExploit available
Date
2026-02-26
Release
2026-03-06 UPDATE

Operating System

  • CISCO Appliance

Software

  • Cisco Catalyst SD-WAN Manager < 20.12.5.3
  • Cisco Catalyst SD-WAN Manager < 20.12.6.1
  • Cisco Catalyst SD-WAN Manager < 20.15.4.2
  • Cisco Catalyst SD-WAN Manager < 20.18.2.1
  • Cisco Catalyst SD-WAN Manager < 20.9.8.2
  • Cisco Catalyst SD-WAN Manager SD-WAN Controller < 20.12.5.3
  • Cisco Catalyst SD-WAN Manager SD-WAN Controller < 20.12.6.1
  • Cisco Catalyst SD-WAN Manager SD-WAN Controller < 20.15.4.2
  • Cisco Catalyst SD-WAN Manager SD-WAN Controller < 20.18.2.1
  • Cisco Catalyst SD-WAN Manager SD-WAN Controller < 20.9.8.2

Attack

A remote anonymous or a local attacker can exploit multiple vulnerabilities in Cisco Catalyst SD-WAN Manager in order to gain administrative rights, to bypass authentication, to execute commands with netadmin privileges, to read sensitive system information and to overwrite arbitrary files on the system.

Description

Cisco Catalyst SD-WAN is a networking solution that combines software-defined wide-area networking (SD-WAN) capabilities with Cisco Catalyst Series switches to optimize and secure network performance across distributed locations.

CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129, CVE-2026-20133

There are multiple vulnerabilities in Cisco Catalyst SD-WAN Manager. These vulnerabilities affect several components, including the API authentication mechanism, REST API authorization logic, Data Collection Agent (DCA) feature, and filesystem access controls, due to issues such as improper authentication, insufficient authorization checks, improper file handling, and inadequate filesystem access restrictions. A remote anonymous or a local attacker can exploit these vulnerabilities to bypass authentication and execute commands with netadmin privileges, to escalate privileges to root, to read sensitive system information and to overwrite arbitrary files on the system.

CVSSv2 Base Score: 10.0 / Temporal Score: 8.7
AV:N/AC:L/AU:N/C:C/I:C/A:C/E:H/RL:OF/RC:ND
CVSSv3.1 Base Score: 9.8 / Temporal Score: 9.4
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:X

CVE-2026-20127

There is a vulnerability in Cisco Catalyst SD-WAN Manager and Catalyst SD-WAN Controller. Due to improper peering authentication in the SD-WAN peering mechanism, authentication controls can be bypassed. A remote anonymous attacker can exploit this vulnerability by sending crafted requests to obtain administrative privileges, which allows access to NETCONF and manipulation of network configuration within the SD-WAN fabric.

CVSSv2 Base Score: 10.0 / Temporal Score: 8.7
AV:N/AC:L/AU:N/C:C/I:C/A:C/E:H/RL:OF/RC:ND
CVSSv3.1 Base Score: 10.0 / Temporal Score: 9.5
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:X

The vulnerabilities CVE-2026-20127, CVE-2026-20128, and CVE-2026-20122 are already being exploited. PoC code taking advantage of the vulnerability CVE-2026-20127 is available on the Internet.

Recommendation

Cisco provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Information

Cisco Security Advisory cisco-sa-sdwan-authbp-qwCX8D4v dated 2026-02-25
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v

Cisco Security Advisory cisco-sa-sdwan-rpa-EHchtZk dated 2026-02-25
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

CISA KEV: CVE-2026-20127 Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability dated 2026-02-25
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Cisco Talos Blog: Active exploitation of Cisco Catalyst SD-WAN by UAT-8616 dated 2026-02-25
https://blog.talosintelligence.com/uat-8616-sd-wan/

Australian Signals Directorate - Cisco SD-WAN Threat Hunt Guide
https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf

UPDATE 2026-03-05

PoC CVE-2026-20127
https://github.com/zerozenxlabs/CVE-2026-20127---Cisco-SD-WAN-Preauth-RCE

References

CISCO-ADV-ID:CISCO-SA-SDWAN-AUTHBP-QWCX8D4V
CISCO-ADV-ID:CISCO-SA-SDWAN-RPA-EHCHTZK
CISCO-BUG:CSCWS33583
CISCO-BUG:CSCWS33584
CISCO-BUG:CSCWS33585
CISCO-BUG:CSCWS33586
CISCO-BUG:CSCWS33587
CISCO-BUG:CSCWS52722
CISCO-BUG:CSCWS93470
CVE:CVE-2026-20122
CVE:CVE-2026-20126
CVE:CVE-2026-20127
CVE:CVE-2026-20128
CVE:CVE-2026-20129
CVE:CVE-2026-20133

Disclaimer

*The probability of an attack is determined by the attacker's motivation, the necessary expend and the possibilities for an attack. The damage probability is determined by the expend needed to resolute the attack and probable indirect consequences of an attack for business processes. Telekom Security assumes worst case scenarios.

Copyright © 1999-2026 Deutsche Telekom Security GmbH. All rights reserved. Reproduction and distribution of this publication in any form - even in parts - without prior written permission is forbidden.

The information contained herein has been obtained from sources believed to be reliable and trusted or have been verified. Telekom Security can take liability for completeness, accuracy and correctness only in so far, as gross negligence or intention create liability. Any liability beyond it, in particular possible damages resulting from using or non-usability of the information contained herein, is excluded.