MDR
Solutions
Partners
About
Resources
Affected Environment
Cisco Catalyst SD-WAN Manager and Controller deployments running affected 20.x versions, including multiple EOL releases. Environments using these versions for SD-WAN control, configuration and management face elevated compromise risk.
Threat Overview
Multiple Cisco Catalyst SD-WAN zero-days enable auth bypass, privilege escalation, file access and config manipulation. Unauthenticated remote attackers may gain administrative or netadmin-level control of SD-WAN management planes.
Exposure Timeline
Cisco advisories and this report were issued in late February 2026; some fixes are dated or estimated for 27 Feb 2026. Exposure persists until vulnerable versions are upgraded or systems are decommissioned or isolated per guidance.
Attack Surface
Public-facing Cisco Catalyst SD-WAN Manager and Controller APIs, peering interfaces and data collection components. Any internet-exposed or broadly reachable SD-WAN management endpoints significantly increase the likelihood of abuse.
Technical Root Cause
Issues include flawed peering authentication, improper API authentication, weak REST API checks and file access controls. Additional weaknesses stem from credential file exposure and improper file handling allowing arbitrary file overwrite.
Exploitation Pathway
Attackers send crafted requests to exposed APIs or peering services to bypass authentication and gain high privileges. Low-privileged or read-only users can further escalate via REST API and filesystem weaknesses to root or vmanage access.
Operational Impact
Attackers could alter SD-WAN fabric configuration via NETCONF, disrupt routing, or gain broad network management control. Sensitive data on underlying systems may be read or modified, impacting availability, integrity and confidentiality.
Strategic Impact
Compromise of SD-WAN control undermines trust in core network connectivity and segmentation across sites and clouds. Government and larger enterprises face high risk of widespread impact due to centralised SD-WAN management exposure.
Required Mitigation
Upgrade Cisco Catalyst SD-WAN Manager and SD-WAN to fixed versions; retire or replace EOL releases where present. Apply least privilege, keep network infrastructure current, and segment critical SD-WAN control components from users.
Incident Response Guidance
Identify all SD-WAN Manager and Controller instances, map versions, and prioritise patching of internet-facing systems. Conduct vulnerability scans and targeted testing; review configs and logs for unauthorised access, changes or lateral movement.
References
See Cisco advisories for affected versions and patch releases for these SD-WAN vulnerabilities. Consult CISA, Tenable, and CVE entries CVE-2026-20122/20126/20127/20128/20129/20133 for tracking and validation.
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)