Ctrl + K
/ news / CVE
CVEPublished 2026-02-25Modified 2026-06-175 articles on news5 live referencesNVD data

CVE-2026-20127Cisco · Catalyst_sd-wan_manager

Vulnerability data via NVD (ingested)

CVSS v3.1
10.0
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS percentile
99
Exploit Prediction Scoring System · top 1% of all CVEs
Weaknesses (CWE)
CWE-287Improper Authentication
Description

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. 

Timeline
Published 2026-02-25
Modified 2026-06-17

External references

NVDMITREExploit-DBSploitusVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts
vuln:CVE-2026-20127
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product
product:"Cisco Catalyst Sd-wan Manager"
All exposed Cisco Catalyst Sd-wan Manager instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"Catalyst Sd-wan Manager"
HTTP body or banner mentions "Catalyst Sd-wan Manager" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2026-20127
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-20127
Censys host search filtered to this CVE id.
grep.app
CVE-2026-20127
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-20127
GitHub code search for direct mentions.
Google dork
"CVE-2026-20127" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (8)

CVE-2026-201278 repos
nomi-sec/PoC-in-GitHubunknown
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
★ 7,850·updated today
Threekiii/CVEunknown
一个 CVE 漏洞预警知识库,无 exp/poc,部分包含修复方案。A knowledge base of CVE security vulnerability, no PoCs/exploits.
★ 171·updated today
DarkFunct/TK-CVE-RepoPython
TK-CVE-Repo
★ 50·updated 2w ago
Xuchen-Li/cv-arxiv-dailyPython
Automatically update arXiv papers about SOT & VLT, Multi-modal Learning, LLM and Video Understanding using Github Actions.
★ 47·updated 1d ago
XuzhaoLi/ro-arxiv-dailyPython
Automatically Update Arxiv Papers about Path Planning, LLM and Autonomous Driving using Github Actions since 2024.2.
★ 37·updated 1d ago
zerozenxlabs/CVE-2026-20127---Cisco-SD-WAN-Preauth-RCEPython
★ 31·updated 3mo ago
sfewer-r7/CVE-2026-20127Ruby
An exploit for the Cisco Catalyst SD-WAN Controller authentication bypass vulnerability, CVE-2026-20127
★ 24·updated 3mo ago
cnlinxi/LLM-paper-dailyPython
Automatically Update LLM Papers Daily using Github Actions. Ref: https://github.com/Vincentqyw/cv-arxiv-daily
★ 10·updated 1d ago
Articles on news mentioning CVE-2026-20127