On March 5, 2026, Cisco updated its advisory for CVE-2026-20127 to confirm what several response teams already suspected: the flaw is being exploited in the wild, and has been for a while. This is an authentication bypass in Cisco Catalyst SD-WAN Controller (formerly vSmart) and the Manager component, carrying a CVSS score of 10.0. Nothing softens that number. It needs no prior authentication, no user interaction, and works over the network.
What actually breaks
The problem sits in the control-plane peering authentication mechanism. A remote attacker can send crafted requests and log in as an internal, high-privileged (non-root) account. From there, according to Cisco Talos analysis, the usual next move is to abuse NETCONF to enumerate, modify, and push templates and policies across the entire SD-WAN fabric. That means control over the configuration of the whole network, not just a single appliance.
The account reached isn’t root, but that didn’t stop the attacker. Talos attributes the activity to a group it tracks as UAT-8616, which it assesses with high confidence to be a sophisticated actor. To jump from that privileged account to root, the group used an uncommon trick: it downgraded the SD-WAN software to an older release where CVE-2022-20775 (a CLI privilege escalation flaw patched long ago) was still present, exploited that bug to get root, then restored the original patched version. This erased the trace of the downgrade and left the system on its “good” version, which made detection harder.
Who is affected, and since when
It affects Cisco Catalyst SD-WAN Controller and Manager. The unsettling part is the timeline: evidence indicates the malicious activity goes back at least to 2023, well before public disclosure. Talos spotted active exploitation in February 2026, and Cisco updated the advisory in early March to reflect confirmed attacks. Targets include edge network infrastructure in critical sectors.
Severity and mitigation
With CVSS 10.0 and confirmed exploitation, this lands squarely in the “patch now” bucket. Cisco released fixed releases; check the official advisory for the specific branch you run and update to the matching fixed version (fixes cover the 20.9, 20.12, 20.15, and 20.18 branches, among others).
Beyond the patch, given the downgrade-based attack method, it’s worth reviewing logs for unauthorized software version changes and anomalous NETCONF activity (typically TCP/830). If you run an exposed SD-WAN fabric, restrict management access to trusted networks and review templates and policies in case they were altered. Activity dating to 2023 means an unpatched system could have been compromised for a long time with no obvious signs.