CVE-2026-20127 | Cisco | AB
| Field | Details |
|---|---|
| CVE ID | CVE-2026-20127 |
| Title | Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability |
| Product | Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) |
| Vulnerability Type | Authentication Bypass / Improper Authentication |
| CWE | CWE-287 |
| Severity | Critical |
| CVSS v3.1 | 10.0 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Description | A vulnerability in the peering authentication logic of Cisco Catalyst SD-WAN Controller and Manager could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. |
| Root Cause | The peering authentication mechanism does not correctly enforce trust during part of the DTLS control-plane handshake, allowing a crafted peer message to be accepted before proper authentication is completed. |
| Protocol Context | The public PoC analyzes the DTLS control-plane handshake used between SD-WAN peers and shows that the flaw occurs during processing of handshake-related control messages. |
| Vulnerable Function | The PoC attributes the issue to the vbond_proc_challenge_ack_ack() handler in vdaemon, which processes CHALLENGE_ACK_ACK messages. |
| Technical Mechanism | According to the PoC, an attacker can send a forged CHALLENGE_ACK_ACK message containing an attacker-controlled verification result. The vulnerable code trusts that value and marks the peer as authenticated instead of independently validating it. |
| Authentication Gate Weakness | The PoC further notes that the message type used in the bypass is exempted from the normal authentication gate in vbond_proc_msg(), which allows the forged message to be processed before the peer is authenticated. |
| Attack Vector | A remote attacker sends specially crafted peering requests to the affected system to bypass authentication. |
| Attack Requirements | No authentication is required. Exploitation is remote over the network against exposed vulnerable systems. |
| Impact | Successful exploitation could allow an attacker to gain administrative privileges on the affected system, access NETCONF, manipulate SD-WAN fabric configuration, add rogue peers, and potentially establish persistence. |
| Privilege Level Obtained | Cisco states successful exploitation can result in access as an internal, highly privileged, non-root user account on the affected SD-WAN system. |
| Observed Exploitation | Cisco confirmed limited active exploitation in the wild. |
| PoC Testing Notes | The public PoC reports successful testing against Cisco Catalyst SD-WAN Controller version 20.15.3 and unsuccessful testing against patched version 20.12.6.1. |
| Affected Versions | Earlier than 20.9 20.9 20.11 20.12.5 20.12.6 20.13 20.14 20.15 20.16 20.18 |
| First Fixed Release | Earlier than 20.9: Migrate to a fixed release 20.9: 20.9.8.2 20.11: 20.12.6.1 20.12.5: 20.12.5.3 20.12.6: 20.12.6.1 20.13: 20.15.4.2 20.14: 20.15.4.2 20.15: 20.15.4.2 20.16: 20.18.2.1 20.18: 20.18.2.1 |
| Workarounds | No workarounds available. |
| Cisco Bug ID | CSCws52722 |
| Mitigation | Upgrade to the appropriate fixed release listed by Cisco. For releases that are end of software maintenance, migrate to a supported fixed release. Also review exposed SD-WAN control and management-plane access and investigate for signs of unauthorized peer activity if exposure is suspected. |
| References | Cisco Advisory PoC Repository CVE Record NVD |