Advisory 2026-0508 - Cisco Catalyst SD-WAN Manager and SD-WAN Controller: Multiple Vulnerabilities
The CTI portal is available at the following address: https://cti-portal.telekom.net/advisories/2026-0508
5 |
|
5 |
|
- Date
- 2026-02-26
- Release
- 2026-03-06 UPDATE
Operating System
- CISCO Appliance
Software
- Cisco Catalyst SD-WAN Manager < 20.12.5.3
- Cisco Catalyst SD-WAN Manager < 20.12.6.1
- Cisco Catalyst SD-WAN Manager < 20.15.4.2
- Cisco Catalyst SD-WAN Manager < 20.18.2.1
- Cisco Catalyst SD-WAN Manager < 20.9.8.2
- Cisco Catalyst SD-WAN Manager SD-WAN Controller < 20.12.5.3
- Cisco Catalyst SD-WAN Manager SD-WAN Controller < 20.12.6.1
- Cisco Catalyst SD-WAN Manager SD-WAN Controller < 20.15.4.2
- Cisco Catalyst SD-WAN Manager SD-WAN Controller < 20.18.2.1
- Cisco Catalyst SD-WAN Manager SD-WAN Controller < 20.9.8.2
Attack
A remote anonymous or a local attacker can exploit multiple vulnerabilities in Cisco Catalyst SD-WAN Manager in order to gain administrative rights, to bypass authentication, to execute commands with netadmin privileges, to read sensitive system information and to overwrite arbitrary files on the system.
Description
Cisco Catalyst SD-WAN is a networking solution that combines software-defined wide-area networking (SD-WAN) capabilities with Cisco Catalyst Series switches to optimize and secure network performance across distributed locations.
CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129, CVE-2026-20133
There are multiple vulnerabilities in Cisco Catalyst SD-WAN Manager. These vulnerabilities affect several components, including the API authentication mechanism, REST API authorization logic, Data Collection Agent (DCA) feature, and filesystem access controls, due to issues such as improper authentication, insufficient authorization checks, improper file handling, and inadequate filesystem access restrictions. A remote anonymous or a local attacker can exploit these vulnerabilities to bypass authentication and execute commands with netadmin privileges, to escalate privileges to root, to read sensitive system information and to overwrite arbitrary files on the system.
CVE-2026-20127
There is a vulnerability in Cisco Catalyst SD-WAN Manager and Catalyst SD-WAN Controller. Due to improper peering authentication in the SD-WAN peering mechanism, authentication controls can be bypassed. A remote anonymous attacker can exploit this vulnerability by sending crafted requests to obtain administrative privileges, which allows access to NETCONF and manipulation of network configuration within the SD-WAN fabric.
The vulnerabilities CVE-2026-20127, CVE-2026-20128, and CVE-2026-20122 are already being exploited. PoC code taking advantage of the vulnerability CVE-2026-20127 is available on the Internet.
Recommendation
Cisco provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
Information
Cisco Security Advisory cisco-sa-sdwan-authbp-qwCX8D4v dated 2026-02-25
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
Cisco Security Advisory cisco-sa-sdwan-rpa-EHchtZk dated 2026-02-25
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
CISA KEV: CVE-2026-20127 Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability dated 2026-02-25
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Cisco Talos Blog: Active exploitation of Cisco Catalyst SD-WAN by UAT-8616 dated 2026-02-25
https://blog.talosintelligence.com/uat-8616-sd-wan/
Australian Signals Directorate - Cisco SD-WAN Threat Hunt Guide
https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf
PoC CVE-2026-20127
https://github.com/zerozenxlabs/CVE-2026-20127---Cisco-SD-WAN-Preauth-RCE
References
CISCO-ADV-ID:CISCO-SA-SDWAN-AUTHBP-QWCX8D4VCISCO-ADV-ID:CISCO-SA-SDWAN-RPA-EHCHTZK
CISCO-BUG:CSCWS33583
CISCO-BUG:CSCWS33584
CISCO-BUG:CSCWS33585
CISCO-BUG:CSCWS33586
CISCO-BUG:CSCWS33587
CISCO-BUG:CSCWS52722
CISCO-BUG:CSCWS93470
CVE:CVE-2026-20122
CVE:CVE-2026-20126
CVE:CVE-2026-20127
CVE:CVE-2026-20128
CVE:CVE-2026-20129
CVE:CVE-2026-20133
Disclaimer
*The probability of an attack is determined by the attacker's motivation, the necessary expend and the possibilities for an attack. The damage probability is determined by the expend needed to resolute the attack and probable indirect consequences of an attack for business processes. Telekom Security assumes worst case scenarios.
Copyright © 1999-2026 Deutsche Telekom Security GmbH. All rights reserved. Reproduction and distribution of this publication in any form - even in parts - without prior written permission is forbidden.
The information contained herein has been obtained from sources believed to be reliable and trusted or have been verified. Telekom Security can take liability for completeness, accuracy and correctness only in so far, as gross negligence or intention create liability. Any liability beyond it, in particular possible damages resulting from using or non-usability of the information contained herein, is excluded.