"The issue affects the peering authentication mechanism of Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Catalyst SD-WAN Manager (formerly SD-WAN vManage), allowing unauthenticated, remote attackers to send crafted requests. Successful exploitation results in the attacker logging in as an internal, high-privileged, non-root user account."
"Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. Cisco says it is aware of the limited exploitation of the vulnerability and has released indicators of compromise (IoCs) to help organizations hunt for malicious activity."
"CISA and peer agencies in Five Eyes countries say that threat actors have chained the two flaws to bypass authentication, escalate privileges, and establish persistence on Catalyst SD-WAN systems. Emergency Directive 26-03 urges federal agencies to patch both vulnerabilities within two days."
Cisco addressed a critical zero-day vulnerability (CVE-2026-20127) with a CVSS score of 10/10 affecting Catalyst SD-WAN Controller and Manager. The flaw exploits the peering authentication mechanism, enabling unauthenticated remote attackers to send crafted requests and log in as a high-privileged internal user account. Attackers can then access NETCONF to manipulate SD-WAN fabric network configurations. Emergency patches were released across multiple versions, with additional patches expected Friday. CISA added this vulnerability and an older related flaw (CVE-2022-20775) to its Known Exploited Vulnerabilities catalog, issuing Emergency Directive 26-03 requiring federal agencies to patch within two days. Threat actors have chained both vulnerabilities to bypass authentication and establish persistence.
#zero-day-vulnerability #cisco-catalyst-sd-wan #authentication-bypass #emergency-patches #cisa-directive
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]