Other information and services of the government: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Critical RCE vulnerability in Cisco Catalyst SD-WAN Controller. Patch Immediately!

Image
Decorative image
Published : 26/02/2026
  • Last update: 26/02/2026
  • Affected software:
    → Cisco Catalyst SD-WAN Controller
  • Type: Improper Authentication (CWE-287)
  • CVE/CVSS
    → • CVE-2026-20127: 10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Sources

Vendor Advisory - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Risks

Successful exploitation could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.

Description

The peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system.

A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

More information on the vendor’s website:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

Cisco recommends to audit the auth.log file for indicators of compromise.

More information on the vendor’s website:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Additionally, the Australian ACSC published a threat hunting guide for this vulnerability:
https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

Cisco Talos blog post - https://blog.talosintelligence.com/uat-8616-sd-wan/
Threat hunt guide of ACSC - https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf