Critical CVE-2026-20127 (CVSS 10.0) hits Cisco Catalyst SD-WAN Controller—unauthenticated attackers can seize control of your entire network fabric. NCSC confirms active exploits. Discover patching urgency, supply chain risks, and immediate steps in Risk Ledger's exclusive alert.
A critical authentication bypass vulnerability (CVE-2026-20127) has been identified in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. This vulnerability has been given the maximum CVSS base score of 10.0 (Critical) and allows an unauthenticated remote attacker to log in as a high-privileged internal user and manipulate network configuration across the entire SD-WAN fabric. Active exploitation has been observed. Cisco has released patches to address this vulnerability.
On 26 February 2026, Cisco disclosed CVE-2026-20127, an authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. The vulnerability affects all device configurations, regardless of deployment type, including on-premises deployments, Cisco Hosted SD-WAN Cloud, Cisco Hosted SD-WAN Cloud - Cisco Managed, and Cisco Hosted SD-WAN Cloud - FedRAMP Environment.
A successful exploit allows an unauthenticated remote attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow them to manipulate network configuration for the SD-WAN fabric.
The UK National Cyber Security Centre (NCSC) has confirmed that this vulnerability is being actively exploited. Cisco Catalyst SD-WAN deployments with management interfaces exposed to the internet are at the greatest risk of compromise.
The affected components, SD-WAN Controller and SD-WAN Manager, are the central control plane of the entire SD-WAN fabric. Compromise of these components could, depending on context, result in disruption to business operations if networking configuration is altered, or could create opportunities for traffic re-routing towards malicious endpoints and man-in-the-middle attacks.
There are no workarounds that address this vulnerability. Patching is the only available remediation.
This threat could affect any organisation that uses Cisco Catalyst SD-WAN Controller or Cisco Catalyst SD-WAN Manager. Cisco Catalyst SD-WAN is the dominant player in the enterprise SD-WAN market, deployed in approximately 70% of Fortune 100 companies, with Cisco claiming over 48,000 SD-WAN deployments globally. This threat is most likely to affect larger enterprises and government entities that rely on Cisco for networking infrastructure.
All deployment types are affected:
SD-WAN infrastructure underpins the connectivity and network security of organisations and their operational sites. Because the affected components form the central control plane that orchestrates routing, policy, and security across potentially thousands of branch locations, compromise of a supplier’s SD-WAN controller could have far-reaching consequences. It is important for organisations to understand whether any of their suppliers rely on Cisco Catalyst SD-WAN, as exploitation could lead to disruption of services, interception of network traffic, or provide a foothold for further malicious activity across interconnected networks.
If your organisation uses Cisco Catalyst SD-WAN Controller or Cisco Catalyst SD-WAN Manager, we recommend you take the following steps without delay:
If you are a Risk Ledger customer: You can use the Emerging Threats feature in the Risk Ledger product to monitor all of your suppliers’ responses to this threat, including any mitigating actions in progress. You can find out more about how the Emerging Threats feature on Risk Ledger works here.
This is an evolving situation. You can keep up to date with the latest information on this threat by referring to the following sources:
To understand how your supply chain is affected by CVE-2026-20127, speak to one of the Risk Ledger team.
Monthly research, case studies and practical guides you won't find anywhere else.
Join thousands of security managers turning their TPRM programmes into success stories.
