Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-20127 -- CVSS 10.0 Vulnerability Briefing

CVE-2026-20127 | CVSS 10.0 (Critical) | Exploit: PoC available

What Is It

CVE-2026-20127 is a critical authentication bypass vulnerability in the peering authentication mechanism of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) and Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart), allowing unauthenticated remote attackers to gain administrative control over affected systems.

Technical Detail

The flaw exists in the peering authentication subsystem of both affected products, which fails to properly validate incoming requests during the peering handshake process. An unauthenticated remote attacker can send specially crafted requests to exploit this improper validation, bypassing authentication entirely and obtaining administrative privileges on the targeted system. The impact is a full administrative compromise of the SD-WAN control plane, which governs routing policy, network segmentation, and device configuration across the managed SD-WAN fabric.

Exploitation Status

A proof-of-concept exploit is publicly available as of this writing. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, meaning active in-the-wild exploitation has not been formally confirmed by CISA. However, the availability of a PoC combined with the CVSS 10.0 score and the high-value nature of SD-WAN control infrastructure significantly elevates the risk of exploitation in the near term.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. No known campaigns or targeted sector activity have been linked to this vulnerability in available intelligence. Given that SD-WAN management infrastructure is a high-value target for nation-state actors and ransomware operators seeking broad network access, this vulnerability warrants close monitoring for emerging attribution.

What To Do

Apply Cisco's security patches for Cisco Catalyst SD-WAN Manager and Cisco Catalyst SD-WAN Controller immediately, prioritizing internet-facing or externally reachable deployments. Organizations should restrict access to SD-WAN management and controller interfaces to trusted IP ranges using access control lists or firewall rules, and ensure these interfaces are not exposed to the public internet. Review administrative access logs on both platforms for anomalous authentication events or unexpected privilege escalations that may indicate prior exploitation. Monitor Cisco's Security Advisory portal for updated guidance and fixed software release information, and treat this as a patch-now priority given the maximum CVSS score and public PoC availability.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →