{"id":217575,"date":"2026-02-26T01:13:00","date_gmt":"2026-02-26T06:13:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/26\/cisco-sd-wan-zero-day-cve-2026-20127-exploited-since-2023-for-admin-access\/"},"modified":"2026-02-26T06:35:08","modified_gmt":"2026-02-26T11:35:08","slug":"cisco-sd-wan-zero-day-cve-2026-20127-exploited-since-2023-for-admin-access","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/26\/cisco-sd-wan-zero-day-cve-2026-20127-exploited-since-2023-for-admin-access\/","title":{"rendered":"Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/cisco-sd-wan-zero-day-cve-2026-20127.html\">Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/cisco-sd-wan-zero-day-cve-2026-20127.html\">https:\/\/thehackernews.com\/2026\/02\/cisco-sd-wan-zero-day-cve-2026-20127.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-26 01:13:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Feb 26, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Network Security<\/span><\/p>\n<p>A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of malicious activity that dates back to 2023.<\/p>\n<p>The vulnerability, tracked as <strong>CVE-2026-20127<\/strong> (CVSS score: 10.0), allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected system by sending a crafted request to an affected system.<\/p>\n<p>Successful exploitation of the flaw could allow the adversary to obtain elevated privileges on the system as an internal, high-privileged, non-root user account.<\/p>\n<p>&#8220;This vulnerability exists because the peering authentication mechanism in an affected system is not working properly,&#8221; Cisco said in an advisory, adding the threat actor could leverage the non-root user account to access NETCONF and manipulate network configuration for the SD-WAN fabric.\u00a0<\/p>\n<p>The shortcoming affects the following deployment types, irrespective of the device configuration &#8211;<\/p>\n<ul>\n<li>On-Prem Deployment<\/li>\n<li>Cisco Hosted SD-WAN Cloud<\/li>\n<li>Cisco Hosted SD-WAN Cloud &#8211; Cisco Managed<\/li>\n<li>Cisco Hosted SD-WAN Cloud &#8211; FedRAMP Environment<\/li>\n<\/ul>\n<p>Cisco credited the Australian Signals Directorate&#8217;s Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The networking equipment major is tracking the exploitation and subsequent post-compromise activity under the moniker UAT-8616, describing the cluster as a &#8220;highly sophisticated cyber threat actor.&#8221;<\/p>\n<p>The vulnerability has been addressed in the following versions of Cisco Catalyst SD-WAN &#8211;<\/p>\n<ul>\n<li>Prior to version 20.91 &#8211; Migrate to a fixed release.<\/li>\n<li>Version 20.9 &#8211; 20.9.8.2 (Estimated release February 27, 2026)<\/li>\n<li>Version 20.111 &#8211; 20.12.6.1<\/li>\n<li>Version 20.12.5 &#8211; 20.12.5.3<\/li>\n<li>Version 20.12.6 &#8211; 20.12.6.1<\/li>\n<li>Version 20.131 &#8211; 20.15.4.2<\/li>\n<li>Version 20.141 &#8211; 20.15.4.2<\/li>\n<li>Version 20.15 &#8211; 20.15.4.2<\/li>\n<li>Version 20.161 &#8211; 20.18.2.1<\/li>\n<li>Version 20.18 -&#8230;<\/li>\n<\/ul>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/cisco-sd-wan-zero-day-cve-2026-20127.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access https:\/\/thehackernews.com\/2026\/02\/cisco-sd-wan-zero-day-cve-2026-20127.html Publish Date: 2026-02-26 01:13:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":217576,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEguuaG3Zn05bu2DRYkpxdcKrvugskd4bWxOdVfAIk2Yeaz_haffll_p9cgQ9DvoIID6Qyihvpq0q9M8NZFBOFprN-7ILllTeAs7Y5WJ5kqUPsBblknz376nPPxRa04vGkCKNVfLSUgTfweasJd9Q533msiw6SdqGP0K61_ZZYMhR9QD_sueS-R9vftPtheu\/s1600\/cisco.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[29,34,27],"class_list":["post-217575","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-network-security","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/217575"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=217575"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/217575\/revisions"}],"predecessor-version":[{"id":217577,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/217575\/revisions\/217577"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/217576"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=217575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=217575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=217575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}