CVE-2026-20127 is a maximum-severity (CVSS 10.0) authentication bypass in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager. An unauthenticated remote attacker can send a crafted request to bypass authentication and obtain full administrative privileges. The vulnerability has been actively exploited since 2023 by UAT-8616, a sophisticated threat actor tracked by Cisco Talos.
CISA responded with Emergency Directive 26-03, ordering Federal Civilian Executive Branch agencies to inventory all in-scope SD-WAN systems by February 26, 2026 and apply patches by February 27. There are no workarounds — upgrading to a patched release is the only fix. CISA's hardening guidance recommends enabling DTLS encryption for SD-WAN Manager connections, using SNMPv3, and deploying firewalls restricting access to known device IPs.
For European organisations running Cisco SD-WAN, the urgency is equivalent regardless of the U.S.-specific directive. Under NIS2, unpatched critical infrastructure is a compliance issue — not just a security one.