# [CRIT] CISA KEV: CVE-2026-20127 — Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability **Source:** CISA KEV **Published:** 2026-02-25 **Article:** https://www.cisa.gov/known-exploited-vulnerabilities-catalog ## Threat Profile CISA KEV entry. The U.S. federal "Known Exploited Vulnerabilities" catalog only adds CVEs that have been **observed exploited in the wild**. Federal civilian agencies are required to remediate by the published due date; the same prioritisation logic applies to any sensible enterprise SOC. Vendor / Product: **Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass** ## Indicators of Compromise - CVE-2026-20127 — match against your vulnerability scanner ## MITRE ATT&CK - **T1190 — Exploit Public-Facing Application** (KEV implies active exploitation against exposed assets) ## Recommended hunts Standard asset-exposure hunt — the canonical Splunk SPL and Defender KQL live once in [`../_TEMPLATES.md#asset-exposure`](../_TEMPLATES.md#asset-exposure). Substitute this CVE wherever the template references ``: - **CVE:** `CVE-2026-20127` ## Why this matters Anything in CISA KEV is *currently* being exploited. Even if your scanners say "not vulnerable" because of patches, it's worth one quick check across your fleet — patch lag is the silent killer. Federal due-date dates also frequently match the timing your organisation will be asked about by auditors / regulators. ## Source body Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD…