Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerability

Security agencies are warning that a maximum-severity flaw in Cisco Catalyst SD-WAN Controller has been exploited in the wild for years.

An advisory from CISA noted that threat actors have compromised SD-WANs to add a malicious rogue peer, allowing them to conduct a range of follow-on actions to achieve root access and maintain persistent access.

"Based on collaboration with international partners and CISA’s forensic analysis, the ease with which these vulnerabilities can be exploited demands immediate action from all federal agencies," said Madhu Gottumukkala, the acting director of the US Cybersecurity and Infrastructure Security Agency (CISA).

"We urge all entities to implement the measures outlined in this Emergency Directive without delay. CISA leadership and all (excepted) staff remain committed to fulfilling our mission while protecting the American people.”

Successful exploitation of CVE-2026-20127, which has a CVSS score of 10, could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account.

Using this account, an attacker could access NETCONF, allowing them to manipulate network configuration for the SD-WAN fabric.

Cisco Catalyst SD-WANs that have management interfaces exposed to the internet are at most risk of compromise.

"CISA’s guidance is a clear signal that adversaries are aiming for the control plane, not just individual endpoints. The vulnerability being discussed allows an attacker to reach sensitive management functions without going through normal access checks," said Nick Tausek, lead security automation architect at Swimlane.

"What makes this especially serious is how quickly a compromised management path can translate into broad influence over how sites connect, which routes are preferred, and what policies are enforced across networks."

Cisco Catalyst SD-WAN best practices

According to Cisco, the first thing to check for is any control connection peering event identified in Cisco Catalyst SD-WAN logs, as this may indicate an attempt at initial access via CVE-2026-20127.

All such peering events require manual validation to confirm their legitimacy, with particular focus on vManage peering types.

The company warned unauthorized peer connections may appear superficially normal but occur at unexpected times, originate from unrecognized IP addresses, or involve device types inconsistent with the environment's architecture.

Organizations should move quickly to inventory SD-WAN components, confirm which are internet-facing, and map all management access methods - web UI, SSH, NETCONF, APIs - including which networks and admin accounts can reach them, said Moshe Hassan, VP of research and innovation at Upwind.

Elsewhere, organizations are urged to restrict management access to known-good sources, Allowlisting trusted IPs/admin networks only, removing public exposure, and segmenting management interfaces behind VPN/jump hosts.

Unsolicited access to management ports and unusual management-plane traffic should be blocked.

"Patch exposed systems first, or block until you can. Prioritize patching any internet-reachable appliances immediately. If patching can’t happen fast enough, temporarily block management protocols from the internet, disable unused services, and deploy compensating controls (ACLs/IPS rules) until updates are in place," he said.

"Watch for unexpected new peers/devices in the SD-WAN fabric, suspicious changes to configuration or policy, anomalous admin activity, and unusual lateral connections within the management plane."

Cisco has published a hardening guide here.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.