Overview
Cisco has issued urgent guidance regarding active, in‑the‑wild exploitation of vulnerabilities affecting Cisco Catalyst SD‑WAN Controller (formerly vSmart) and Cisco Catalyst SD‑WAN Manager (formerly vManage). The primary issue is a critical authentication bypass that could allow an unauthenticated attacker to gain high‑privileged administrative access and manipulate SD‑WAN configuration.
The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that both vulnerabilities are being actively exploited and has issued an emergency directive with actions to inventory affected systems, apply updates and mitigations, and assess for compromise.
Cisco Talos reporting indicates threat actors have used the newer authentication bypass for initial access and then leveraged the older vulnerability to escalate privileges and establish persistence.
- CVE-2026-20127: Cisco Catalyst SD‑WAN Controller and Manager Authentication Bypass Vulnerability (CVSSv3 10.0)
Affected versions: Cisco Catalyst SD‑WAN earlier than 20.9; 20.9 before 20.9.8.2; 20.11; 20.12.5 before 20.12.5.3; 20.12.6 before 20.12.6.1; 20.13; 20.14; 20.15 before 20.15.4.2; 20.16; 20.18 before 20.18.2.1.
- CVE-2022-20775: Cisco SD‑WAN Software Privilege Escalation Vulnerability (CVSSv3 7.8)
Affected versions: Cisco SD‑WAN Software 18.4 and earlier; 19.2; 20.3; 20.6 before 20.6.3; 20.7 before 20.7.2; 20.8 before 20.8.1.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
CVE Record - CVE Record: CVE-2022-20775
CVE Record - CVE Record: CVE-2026-20127
CISA - ED 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems | CISA
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.