Cisco Catalyst SD-WAN CVE-2026-20127: Max-Severity 0-Day Exploited Since 2023

A maximum-severity authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage), tracked as CVE-2026-20127 with a CVSS score of 10.0, has been under active exploitation in the wild since 2023, The Hacker News reported on March 2, 2026. The flaw allows an unauthenticated remote attacker to bypass authentication and gain administrative access to affected Cisco SD-WAN infrastructure — a critical risk for enterprises that rely on these products for WAN management and branch connectivity. Cisco has issued patches and organizations running Catalyst SD-WAN Controller or SD-WAN Manager should prioritise remediation immediately given the confirmed multi-year exploitation history.

Key Takeaways

• CVE-2026-20127 (CVSS 10.0) affects Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage); allows unauthenticated remote auth bypass and full administrative access
• Active exploitation confirmed since at least 2023 — a multi-year window of undetected exploitation before Cisco's advisory; Cisco has added two additional CVEs (CVE-2026-20122 and CVE-2026-20128) to its known-exploited list this week
• Affected deployments include any enterprise or MSP running vSmart/vManage on-premises; organizations should apply Cisco patches, review audit logs for unauthorized access, and rotate SD-WAN credentials immediately

Original source: The Hacker News