Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability

Act NowCVSS 10cisco-sa-sdwan-rpa-EHchtZkFeb 25, 2026

Cisco

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the peering authentication mechanism of Cisco Catalyst SD-WAN Manager (formerly vManage), SD-WAN Controller (formerly vSmart), and SD-WAN Validator (formerly vBond) allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges. The attacker can exploit this by sending crafted requests to the affected system and subsequently gain access to NETCONF, enabling manipulation of SD-WAN fabric network configuration.

What this means

What could happen

An unauthenticated remote attacker can bypass authentication on Cisco Catalyst SD-WAN controllers and gain administrative privileges, allowing them to manipulate SD-WAN fabric network configuration and intercept or redirect all traffic flowing through the WAN fabric.

Who's at risk

Any organization running Cisco Catalyst SD-WAN (SD-WAN Manager/vManage, SD-WAN Controller/vSmart, or SD-WAN Validator/vBond) to manage enterprise SD-WAN fabric. This affects the core SD-WAN management and control plane, impacting all branch offices and WAN traffic that rely on these controllers.

How it could be exploited

An attacker sends specially crafted requests to the SD-WAN Manager, vSmart Controller, or vBond Validator over the network without providing credentials. The flawed peering authentication mechanism accepts the request and grants the attacker a high-privileged internal user session. The attacker then uses NETCONF (network configuration protocol) access to modify network configurations, potentially redirecting traffic or modifying routing policies.

Prerequisites

Network access to the Cisco Catalyst SD-WAN Manager, vSmart Controller, or vBond Validator management interface
No authentication credentials required

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (48.2%)affects control systems

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

Catalyst SD-WAN ManagerAll versionsFix available

Remediation & Mitigation

0/5

Do now

0/5

HOTFIXApply Cisco software updates to Catalyst SD-WAN Manager immediately. Obtain the patched version from Cisco security advisory and deploy during an emergency maintenance window.

HOTFIXApply Cisco software updates to Catalyst SD-WAN Controller (vSmart) immediately during an emergency maintenance window.

HOTFIXApply Cisco software updates to Catalyst SD-WAN Validator (vBond) immediately during an emergency maintenance window.

WORKAROUNDRestrict network access to SD-WAN Manager, vSmart Controller, and vBond Validator management interfaces to trusted internal networks and engineering workstations only. Block direct internet access to these systems.

HARDENINGMonitor authentication logs and NETCONF sessions on all SD-WAN controllers for unauthorized access attempts or unexpected configuration changes.

CVEs (1)

CVE-2026-20127

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/071da597-d974-4d8c-b5e9-813aef994948

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.