Updated:
Status:
CVEs:
Fortra is actively researching a vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) that could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
Who is affected?
CVE-2026-20127 impacts the versions of Cisco Catalyst SD-WAN listed below.
Note: There are no workarounds that address this vulnerability. The vendor’s recommended mitigation consists of adding access control lists (ACLs), security group rules, and/or firewall rules to restrict traffic to port 22 and port 830 to allow only known controller IPs and other known IPs.
Impacted products:
- Cisco Catalyst SD-WAN Controller
- Cisco Catalyst SD-WAN Manager, regardless of device configuration.
This vulnerability affects the following deployment types:
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud - Cisco Managed
- Cisco Hosted SD-WAN Cloud - FedRAMP Environment
Affected versions:
- Earlier than 20.91
- 20.9
- 20.111
- 20.12.5
- 20.12.6
- 20.131
- 20.141
- 20.15
- 20.161
- 20.18
What can I do?
Customers should migrate to a fixed release as soon as possible.
Fixed versions:
- 20.9.8.2 (Estimated release February 27, 2026)
- 20.12.6.1
- 20.12.5.3
- 20.12.6.1
- 20.15.4.2
- 20.15.4.2
- 20.15.4.2
- 20.18.2.1
- 20.18.2.1
The vendor advisory is available at Cisco Security.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities.
- Fortra MDR: On February 25, 2026, Alert Logic deployed log-based detection for CVE-2026-20127/Cisco Catalyst SD-WAN vulnerable IoC user ‘vmanage-admin’.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
2/25/2026: Log-based detection was deployed for CVE-2026-20127.
