How long has CVE-2026-20127 been exploited?

The vulnerability has been actively exploited since at least 2023, as disclosed by Cisco in February 2026. ([thehackernews.com](https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html?utm_source=openai))

What actions should organizations take in response to CVE-2026-20127?

Organizations should immediately apply the patches released by Cisco, audit their network configurations for unauthorized changes, and implement robust security measures to prevent future exploitation. ([thehackernews.com](https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html?utm_source=openai))

Cisco SD-WAN Zero-Day Exploited Since 2023

A critical vulnerability in Cisco's SD-WAN solutions has been exploited for years, highlighting the need for immediate security measures. ([thehackernews.com](https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html?utm_source=openai))

Published: February 27, 2026

Share this on:

Executive Summary

In February 2026, Cisco disclosed a critical zero-day vulnerability (CVE-2026-20127) in its Catalyst SD-WAN Controller and Manager, which had been actively exploited since at least 2023. The flaw allowed unauthenticated remote attackers to bypass authentication mechanisms, granting them high-privileged access to manipulate network configurations via the NETCONF protocol. This exploitation enabled the addition of rogue peers and potential disruption of network operations. (thehackernews.com)

The incident underscores the persistent targeting of network infrastructure by sophisticated threat actors, emphasizing the need for organizations to prioritize timely patching and robust security measures to protect critical systems. (thehackernews.com)

Why This Matters Now

The exploitation of CVE-2026-20127 highlights the ongoing risks posed by unpatched vulnerabilities in critical network infrastructure, necessitating immediate action to mitigate potential threats. (thehackernews.com)

Attack Path Analysis

The threat actor exploited CVE-2026-20127 to gain unauthorized access to Cisco Catalyst SD-WAN Controllers, escalating privileges to root by downgrading software versions. They added rogue peers to the SD-WAN control plane, enabling lateral movement and manipulation of network configurations. Command and control were established through NETCONF and SSH, facilitating persistent access. Data exfiltration was achieved by modifying VPN and tunnel settings to intercept or redirect traffic. The impact included unauthorized policy changes and potential disruption of network services.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

Medium

Impact

Medium

Initial Compromise

Description

Exploited CVE-2026-20127 to bypass authentication and gain high-privileged access to Cisco Catalyst SD-WAN Controllers.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-20127
CVSS 10
An authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller allows unauthenticated, remote attackers to obtain administrative privileges by sending crafted requests.
Affected Products:
Cisco Catalyst SD-WAN Controller – 20.9, 20.11, 20.12, 20.13, 20.14, 20.15, 20.16, 20.18
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-20127 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk https://www.darkreading.com/vulnerabilities-threats/cisco-sd-wan-zero-day-exploitation-3-years

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; full STIX/TAXII enrichment to follow.

Initial Access

T1078

Valid Accounts

Initial Access

T1133

External Remote Services

Privilege Escalation

T1548

Abuse Elevation Control Mechanism

Defense Evasion

T1070

Indicator Removal on Host

Lateral Movement

T1021

Remote Services

Command and Control

T1071

Application Layer Protocol

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Change Control Processes

Control ID: 6.4.1

The unauthorized manipulation of SD-WAN configurations indicates a failure in implementing robust change control processes, leading to potential security vulnerabilities.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The exploitation of the SD-WAN vulnerability suggests inadequacies in the organization's cybersecurity policy, particularly in identifying and mitigating risks associated with network infrastructure.

DORA – ICT Risk Management Framework

Control ID: Article 5

The incident highlights deficiencies in the ICT risk management framework, as the prolonged exploitation of the vulnerability indicates a lack of effective risk assessment and mitigation strategies.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The unauthorized access gained through the vulnerability points to weaknesses in identity and access management controls, undermining the principles of zero trust security models.

NIS2 Directive – Incident Handling

Control ID: Article 21

The extended period of undetected exploitation indicates shortcomings in incident detection and response capabilities, contravening the directive's requirements for effective incident handling.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Telecommunications

Critical SD-WAN infrastructure vulnerabilities enable three-year network exploitation, compromising encrypted traffic flows and zero-trust segmentation across telecommunications backbone systems.

Banking/Mortgage

Financial institutions face severe data exfiltration risks through compromised SD-WAN networks, violating PCI compliance requirements and enabling lateral movement attacks.

Health Care / Life Sciences

Healthcare networks exploited via SD-WAN zero-days risk HIPAA violations, patient data exposure, and compromised medical device connectivity through unsecured traffic.

Government Administration

Government SD-WAN infrastructure compromised for three years enables sophisticated threat actors to conduct network reconnaissance and establish persistent command-and-control channels.

Sources

Cisco SD-WAN Zero-Day Under Exploitation for 3 Yearshttps://www.darkreading.com/vulnerabilities-threats/cisco-sd-wan-zero-day-exploitation-3-years
Verified

Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerabilityhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Verified

NVD - CVE-2026-20127https://nvd.nist.gov/vuln/detail/CVE-2026-20127

Verified

Frequently Asked Questions

CVE-2026-20127 is a critical vulnerability in Cisco's Catalyst SD-WAN Controller and Manager that allows unauthenticated remote attackers to bypass authentication and gain high-privileged access to manipulate network configurations. ([thehackernews.com](https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html?utm_source=openai))

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit vulnerabilities and move laterally within the network, thereby reducing the potential impact and blast radius of the breach.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit vulnerabilities in the SD-WAN Controllers would likely be constrained, reducing unauthorized access to critical network infrastructure.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges to root may be limited, reducing the scope of unauthorized control over network devices.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing unauthorized access to other network devices.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to maintain persistent access through NETCONF and SSH may be limited, reducing unauthorized control over network configurations.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate data by modifying VPN and tunnel settings would likely be constrained, reducing unauthorized data interception or redirection.

Impact (Mitigations)

The attacker's ability to implement unauthorized policy changes may be limited, reducing the potential disruption of network services.

Impact at a Glance

Affected Business Functions

Network Management
Data Transmission
Remote Access

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Potential exposure of sensitive network configurations and administrative credentials.

Recommended Actions

• Implement Zero Trust Segmentation to restrict unauthorized lateral movement within the network.
• Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
• Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
• Deploy Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads.
• Regularly update and patch systems to mitigate vulnerabilities like CVE-2026-20127 and CVE-2022-20775.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Cisco SD-WAN Zero-Day Exploited Since 2023

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-20127

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Valid Accounts

External Remote Services

Abuse Elevation Control Mechanism

Indicator Removal on Host

Remote Services

Application Layer Protocol

Potential Compliance Exposure

PCI DSS 4.0 – Change Control Processes

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Incident Handling

Sector Implications

Telecommunications

Banking/Mortgage

Health Care / Life Sciences

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads