US EditionCritical Cisco SD-WAN bug exploited in zero-day attacks since 2023
Federal agencies must patch Cisco SD-WAN vulnerability CVE-2026-20127 by Feb 27, as zero-day exploits enable attackers to gain persistent root access, CISA warns.
- On February 25, 2026, CISA issued Emergency Directive 26-03 requiring Federal Civilian Executive Branch agencies to inventory Cisco SD‑WAN systems and collect forensic artifacts, citing ongoing exploitation as an imminent threat.
- Cisco said CVE-2026-20127 stems from a peering authentication mechanism failure and impacts Cisco Catalyst SD‑WAN Controller and Manager with a maximum severity of 10.0, credited ASD's ACSC for reporting it.
- Talos and partner advisories show attackers exploit authentication bypass to add rogue peers and use CVE-2022-20775 for root access; indicators include unexpected root logins and unauthorized SSH keys.
- Federal agencies must apply patches by 5:00 PM ET on February 27, 2026 and report compliance to the secretary of homeland security, the national cyber director and Office of Management and Budget by May 1.
- International partners urged nonfederal organizations to patch and harden affected devices, isolate SD-WAN management interfaces, forward logs externally, and apply Cisco hardening guidance as soon as practicable.
12 Articles
12 Articles
BleepingComputer
cybernoz.comCritical Cisco SD-WAN bug exploited in zero-day attacks since 2023
Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks.
Critical Cisco SD-WAN 0-Day Vulnerability Exploited Since 2023 to Gain Root Access
Cisco has disclosed a critical zero-day vulnerability in its Catalyst SD-WAN products that threat actors have exploited since 2023 to bypass authentication and achieve root access. Tracked as CVE-2026-20127, the flaw affects core networking components and prompts urgent patching amid active attacks.sec.cloudapps. CVE-2026-20127 stems from a flaw in the peering authentication mechanism of Cisco Catalyst […] The post Critical Cisco SD-WAN 0-Day Vu…
Five Eyes issue emergency directive on exploited Cisco SD-WAN zero-day
Cybersecurity agencies across the Five Eyes alliance have issued an emergency directive warning that a critical Cisco SD-WAN vulnerability is being actively exploited to gain unauthorized access to federal networks. Officials confirmed that threat actors are targeting core SD-WAN control systems —infrastructure that manages traffic across government and enterprise networks — and urged organizations to patch affected devices immediately. Cisco’s …
CVE-2026-20127 Zero-Day Auth Bypass Exploited
Exploitation of a maximum severity authentication bypass zero-day vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager has been reported. Immediate patching is recommended to thwart ongoing attacks.Key takeaways:CVE-2026-20127 is an Authentication Bypass Vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager. Patches have been released and no workarounds are currently available. Exploitation in the wild has been obs…
Five Eyes allies warn hackers are actively exploiting Cisco SD-WAN flaws
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive warning of a “cyber threat actor’s ongoing exploitation of Cisco SD-WAN systems,” describing the activity as presenting a significant risk to federal civilian executive branch networks.
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
