Intro

A critical authentication bypass vulnerability (CVE-2026-20127) has been identified in Cisco Catalyst SD-WAN Controller and Manager components. This flaw allows unauthenticated, remote attackers to bypass peering authentication and obtain full administrative privileges. Cisco PSIRT has confirmed limited in-the-wild exploitation of this vulnerability, making immediate patching a top priority for all SD-WAN fabric administrators.

📌 CVE Context

– Products & versions affected: Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) across all deployment types, including On-Prem and Cisco Hosted Cloud.
– Disclosure timeline: First published February 25, 2026; Updated February 27, 2026.
– Attack vector, auth level, impact: Remote, unauthenticated; results in administrative access to NETCONF and full network configuration manipulation.

CVSS Metric Breakdown (v4.0) - CVE-2026-20127 (Cisco SD-WAN Auth Bypass)
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality Impact (VC): High
Integrity Impact (VI): High
Availability Impact (VA): High
Scope Changed (SC): No
Safety Impact (SI): N/A
Automation (SA): Yes
Exploit Maturity: Attacked
Base Score: 10.0 (Critical)

– Exploit tools: Crafted requests targeting peering authentication mechanisms. Limited exploitation has been confirmed by Cisco PSIRT.

🎯 EPSS Scoring

The Exploit Prediction Scoring System (EPSS) for CVE-2026-20127 indicates a score of 0.02194, placing it in the 84th percentile (0.84138) of all tracked vulnerabilities. Given the confirmed in-the-wild activity, this score reflects a significant and rising probability of encounter across internet-exposed infrastructure.

🔬 Exploitation Detail

– Step-by-step breakdown: The vulnerability exists because the peering authentication mechanism fails to properly validate identity during connection requests. An attacker sends crafted requests to the affected system to bypass the handshake.
– Where it lives: Peering authentication mechanism and VDAEMON control connection processes.

[Conceptual crafted request targeting peering ports]
# Attackers target the peering handshake to gain "vmanage-admin" status
# Target Ports: 22 (SSH/NETCONF) and 830 (NETCONF)

📎 Attacker Behavior Snapshot

– What the attacker sends: Crafted requests designed to exploit the malfunctioning peering logic.
– What the system does: Improperly authenticates the session, granting high-privileged, non-root access.
– What leaks back: Access to NETCONF, allowing the attacker to push configuration changes to the entire SD-WAN fabric.

🧩 Why This Matters

This vulnerability highlights how legacy configurations and trusted peering mechanisms become high-value targets. A successful exploit grants nearly total control over the software-defined network architecture, bypassing traditional perimeter defenses.

Exploitation results in:

• Full command execution on SD-WAN controllers
• Untraceable persistence via unauthorized peering connections
• Rapid lateral movement and fabric-wide configuration manipulation

🧩 MITRE ATT&CK Mapping

Initial Access: T1190 – Exploit Public-Facing Application
Execution: T1059.003 – Command Shell
Persistence: T1505.003 – Server Software Component (Unauthorized Peering)

🧪 Detection Rules

YARA Rule (Memory/Doc/PCAP)

rule Cisco_SDWAN_Auth_Bypass_Log_Indicator {
    meta:
        description = "Detects logs indicating successful exploitation of CVE-2026-20127"
    strings:
        $auth_log = "Accepted publickey for vmanage-admin from"
        $ssh_proc = "sshd"
    condition:
        all of them
}

Suricata or Zeek (Network)

alert tcp any any -> any [22,830] (msg:"Cisco SD-WAN Potential Peering Auth Bypass"; content:"vmanage-admin"; sid:202620127; rev:1;)

Sigma Rule (SIEM/EDR)

title: Cisco SD-WAN Unauthorized vmanage-admin Login
description: Detects vmanage-admin logins from unauthorized IPs in auth.log
logsource:
    product: cisco
    service: sdwan
detection:
    selection:
        message|contains: 'Accepted publickey for vmanage-admin'
    filter:
        src_ip: 'authorized_controller_ips'
    condition: selection and not filter
level: critical

🔎 Detection Strategies

✅ Network Detection:

• Monitor for unexpected peering events in VDAEMON logs.
• Flag control connection state changes (new-state:up) from unrecognized public IP addresses.
• Inspect traffic on ports 22 and 830 for unusual source systems.

✅ Endpoint Detection:

• Audit /var/log/auth.log for “Accepted publickey for vmanage-admin” from unknown or unauthorized IP addresses.
• Verify all “vmanage-admin” public keys against the authorized key list in the Manager web UI.
• Use the ‘request admin-tech’ command to gather diagnostic files for TAC review.

⚡ Splunk Query

index=network_logs sourcetype="cisco:sdwan" "Accepted publickey for vmanage-admin"
| rex field=_raw "from (?<src_ip>\d+\.\d+\.\d+\.\d+)"
| stats count by host, src_ip, user
| table host, src_ip, user, count

🛠️ SOC Detection Strategy

– Triage levels: High-priority alerts for any ‘Accepted publickey’ logs for the ‘vmanage-admin’ account from non-inventory IPs.
– How to tune: Cross-reference source IPs with the “System IP” column in the Devices menu of the SD-WAN Manager UI.
– Real-world alerts: Alerts often appear as legitimate-looking peering events but occur at unexpected times or from unrecognized public IPs.

🛠️ Tools & Techniques

Tool | Usage
Sysmon | (Linux Audit equivalent) Monitor SSH session initiation
Velociraptor | Hunt across controllers for unauthorized entries in /var/log/auth.log
Zeek | Log and analyze NETCONF traffic on port 830
Sigma/YARA | Scan log archives for historical signs of “vmanage-admin” bypass

🛡️ Mitigation & Response

– Patch info: Upgrade to fixed releases including 20.9.8.2, 20.12.5.3, 20.15.4.2, or 20.18.2.1.
– Temporary mitigations: Use ACLs or firewall rules to restrict traffic to ports 22 and 830 to known controller IPs only.
– Config changes: Secure intra-controller connectivity and restrict management access to trusted hosts.
– Monitor for lateral movement: Audit all configuration changes made via NETCONF post-peering events.

📋 Incident Response Snippets

– Log queries: grep “Accepted publickey for vmanage-admin” /var/log/auth.log
– IR questions: Does the peer-system-ip in the VDAEMON log match our documented SD-WAN topology?
– Cleanup: Remove any unauthorized public keys and perform a full configuration audit of the SD-WAN fabric.

📚 Suggested Reading & External References

– Cisco Advisory: cisco-sa-sdwan-rpa-EHchtZk
– Cisco Catalyst SD-WAN Hardening Guide
– SD-WAN Controller Component Compatibility Matrix

🗾️ Final Thoughts

– Attackers can bypass authentication to gain high-privileged access and manipulate the entire SD-WAN fabric.
– Most effective action: Upgrade immediately to a fixed release and restrict management ports to trusted IPs.
– Reminder that detection is field work: Manual validation of all peering events is required to ensure legitimacy.

Published: February 27, 2026