cvelistv5 - cve-2026-20127

CVE-2026-20127 (GCVE-0-2026-20127)

Vulnerability from cvelistv5

Published

2026-02-25 16:14

Modified

2026-02-26 14:44

Severity ?

10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-287 - Improper Authentication

Summary

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. 

References

URL

Tags

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Impacted products

	Vendor	Product	Version
	Cisco	Cisco Catalyst SD-WAN Manager	Version: 20.1.12 Version: 19.2.1 Version: 18.4.4 Version: 18.4.5 Version: 20.1.1.1 Version: 20.1.1 Version: 19.3.0 Version: 19.2.2 Version: 19.2.099 Version: 18.3.6 Version: 18.3.7 Version: 19.2.0 Version: 18.3.8 Version: 19.0.0 Version: 19.1.0 Version: 18.4.302 Version: 18.4.303 Version: 19.2.097 Version: 19.2.098 Version: 17.2.10 Version: 18.3.6.1 Version: 19.0.1a Version: 18.2.0 Version: 18.4.3 Version: 18.4.1 Version: 17.2.8 Version: 18.3.3.1 Version: 18.4.0 Version: 18.3.1 Version: 17.2.6 Version: 17.2.9 Version: 18.3.4 Version: 17.2.5 Version: 18.3.1.1 Version: 18.3.5 Version: 18.4.0.1 Version: 18.3.3 Version: 17.2.7 Version: 17.2.4 Version: 18.3.0 Version: 19.2.3 Version: 18.4.501_ES Version: 20.3.1 Version: 20.1.2 Version: 19.2.929 Version: 19.2.31 Version: 20.3.2 Version: 19.2.32 Version: 20.3.2_925 Version: 20.3.2.1 Version: 20.3.2.1_927 Version: 18.4.6 Version: 20.1.2_937 Version: 20.4.1 Version: 20.3.2_928 Version: 20.3.2_929 Version: 20.4.1.0.1 Version: 20.3.2.1_930 Version: 19.2.4 Version: 20.5.0.1.1 Version: 20.4.1.1 Version: 20.3.3 Version: 19.2.4.0.1 Version: 20.3.2_937 Version: 20.3.3.1 Version: 20.5.1 Version: 20.1.3 Version: 20.3.3.0.4 Version: 20.3.3.1.2 Version: 20.3.3.1.1 Version: 20.4.1.2 Version: 20.3.3.0.2 Version: 20.4.1.1.5 Version: 20.4.1.0.01 Version: 20.4.1.0.02 Version: 20.3.3.1.7 Version: 20.3.3.1.5 Version: 20.5.1.0.1 Version: 20.3.3.1.10 Version: 20.3.3.0.8 Version: 20.4.2 Version: 20.4.2.0.1 Version: 20.3.4 Version: 20.3.3.0.14 Version: 19.2.4.0.8 Version: 19.2.4.0.9 Version: 20.3.4.0.1 Version: 20.3.2.0.5 Version: 20.6.1 Version: 20.5.1.0.2 Version: 20.3.3.0.17 Version: 20.6.1.1 Version: 20.6.0.18.3 Version: 20.3.2.0.6 Version: 20.6.0.18.4 Version: 20.4.2.0.2 Version: 20.3.3.0.16 Version: 20.3.4.0.5 Version: 20.6.1.0.1 Version: 20.3.4.0.6 Version: 20.6.2 Version: 20.7.1EFT2 Version: 20.3.4.0.9 Version: 20.3.4.0.11 Version: 20.4.2.0.4 Version: 20.3.3.0.18 Version: 20.7.1 Version: 20.6.2.1 Version: 20.3.4.1 Version: 20.5.1.1 Version: 20.4.2.1 Version: 20.4.2.1.1 Version: 20.3.4.1.1 Version: 20.3.813 Version: 20.3.4.0.19 Version: 20.4.2.2.1 Version: 20.5.1.2 Version: 20.3.4.2 Version: 20.3.814 Version: 20.4.2.2 Version: 20.6.2.2 Version: 20.3.4.2.1 Version: 20.7.1.1 Version: 20.3.4.1.2 Version: 20.6.2.2.2 Version: 20.3.4.0.20 Version: 20.6.2.2.3 Version: 20.4.2.2.2 Version: 20.3.5 Version: 20.6.2.0.4 Version: 20.4.2.2.3 Version: 20.3.4.0.24 Version: 20.6.2.2.7 Version: 20.6.3 Version: 20.3.4.2.2 Version: 20.4.2.2.4 Version: 20.7.1.0.2 Version: 20.8.1 Version: 20.3.5.0.8 Version: 20.3.5.0.9 Version: 20.4.2.2.8 Version: 20.3.5.0.7 Version: 20.6.3.0.7 Version: 20.6.3.0.5 Version: 20.6.3.0.10 Version: 20.6.3.0.2 Version: 20.7.2 Version: 20.9.1EFT2 Version: 20.6.3.0.11 Version: 20.6.3.1 Version: 20.6.3.0.14 Version: 20.6.4 Version: 20.9.1 Version: 20.6.3.0.19 Version: 20.6.3.0.18 Version: 20.3.6 Version: 20.9.1.1 Version: 20.6.3.0.23 Version: 20.6.4.0.4 Version: 20.6.3.0.25 Version: 20.6.5 Version: 20.6.3.0.27 Version: 20.9.2 Version: 20.9.2.1 Version: 20.6.3.0.29 Version: 20.6.3.0.31 Version: 20.6.3.0.32 Version: 20.10.1 Version: 20.6.3.0.33 Version: 20.9.2.0.01 Version: 20.9.1_LI_Images Version: 20.10.1_LI_Images Version: 20.9.2_LI_Images Version: 20.3.7 Version: 20.9.3 Version: 20.6.5.1 Version: 20.11.1 Version: 20.11.1_LI_Images Version: 20.9.3_LI_ Images Version: 20.6.3.1.1 Version: 20.9.3.0.2 Version: 20.6.5.1.2 Version: 20.9.3.0.3 Version: 20.4.2.3 Version: 20.6.3.2 Version: 20.6.4.1 Version: 20.6.3.0.38 Version: 20.6.3.0.39 Version: 20.3.5.1 Version: 20.3.4.3 Version: 20.9.3.1 Version: 20.3.3.2 Version: 20.6.5.2 Version: 20.3.7.1 Version: 20.10.1.1 Version: 20.6.5.2.1 Version: 20.3.4.0.25 Version: 20.6.2.2.4 Version: 20.6.1.2 Version: 20.11.1.1 Version: 20.9.3.0.5 Version: 20.3.4.0.26 Version: 20.6.5.1.3 Version: 20.6.3.0.40 Version: 20.1.3.1 Version: 20.9.2.2 Version: 20.6.5.2.3 Version: 20.6.5.1.4 Version: 20.6.5.3 Version: 20.6.3.0.41 Version: 20.9.3.0.7 Version: 20.6.5.1.5 Version: 20.9.3.0.4 Version: 20.6.4.0.19 Version: 20.6.5.1.6 Version: 20.9.3.0.8 Version: 20.6.3.3 Version: 20.3.7.2 Version: 20.6.5.4 Version: 20.6.5.1.7 Version: 20.9.3.0.12 Version: 20.6.4.2 Version: 20.6.5.5 Version: 20.9.3.2 Version: 20.11.1.2 Version: 20.6.3.4 Version: 20.10.1.2 Version: 20.6.5.1.9 Version: 20.9.3.0.16 Version: 20.6.3.0.45 Version: 20.6.5.1.10 Version: 20.9.3.0.17 Version: 20.6.5.2.4 Version: 20.6.4.0.21 Version: 20.9.3.0.18 Version: 20.6.3.0.46 Version: 20.6.3.0.47 Version: 20.9.2.3 Version: 20.9.3.2_LI_Images Version: 20.9.3.0.21 Version: 20.9.3.0.20 Version: 20.9.4_LI_Images Version: 20.9.4 Version: 20.6.5.1.11 Version: 20.12.1 Version: 20.12.1_LI_Images Version: 20.6.5.1.13 Version: 20.9.3.0.23 Version: 20.6.5.2.8 Version: 20.9.4.1 Version: 20.9.4.1_LI_Images Version: 20.9.3.0.25 Version: 20.9.3.0.24 Version: 20.6.5.1.14 Version: 20.3.8 Version: 20.6.6 Version: 20.9.3.0.26 Version: 20.6.3.0.51 Version: 20.9.3.0.29 Version: 20.12.2 Version: 20.12.2_LI_Images Version: 20.6.6.0.1 Version: 20.13.1_LI_Images Version: 20.9.4.0.4 Version: 20.13.1 Version: 20.9.4.1.1 Version: 20.9.5 Version: 20.9.5_LI_Images Version: 20.12.3_LI_Images Version: 20.12.3 Version: 20.9.4.1.3 Version: 20.6.7 Version: 20.9.5.1 Version: 20.9.5.1_LI_Images Version: 20.9.4.1.6 Version: 20.14.1 Version: 20.14.1_LI_Images Version: 20.9.5.2 Version: 20.9.5.2.1 Version: 20.9.5.2_LI_Images Version: 20.12.3.1 Version: 20.12.4 Version: 20.15.1_LI_Images Version: 20.15.1 Version: 20.9.5.1.4 Version: 20.9.5.2.7 Version: 20.9.5.2.13 Version: 20.9.6 Version: 20.9.6_LI_Images Version: 20.9.5.2.14 Version: 20.6.8 Version: 20.12.4.0.03 Version: 20.16.1 Version: 20.16.1_LI_Images Version: 20.12.4_LI_Images Version: 20.9.5.2.16 Version: 20.12.4.0.4 Version: 20.12.401 Version: 20.9.5.3 Version: 20.9.5.3_LI_Images Version: 20.12.4.1_LI_Images Version: 20.12.4.1 Version: 20.9.5.2.21 Version: 20.9.6.0.3 Version: 20.12.4.0.6 Version: 20.15.2_LI_Images Version: 20.15.2 Version: 20.12.4_Monthly_ES5 Version: 20.12.5 Version: 20.12.5_LI_Images Version: 20.9.7_LI _Images Version: 20.9.7 Version: 20.15.3 Version: 20.15.3_ LI _Images Version: 20.12.501 Version: 20.12.5.1_LI_Images Version: 20.12.5.1 Version: 20.12.5.2_LI_Images Version: 20.12.5.2 Version: 20.15.3.1 Version: 20.15.4_LI_Images Version: 20.15.4 Version: 20.9.7.1_LI _Images Version: 20.9.7.1 Version: 20.18.1 Version: 20.18.1_LI_Images Version: 20.12.6_LI_Images Version: 20.12.6 Version: 20.12.5.1.01 Version: 20.9.8 Version: 20.9.8_LI_Images Version: 20.18.2 Version: 20.15.4.1_LI_Images Version: 20.15.4.1 Version: 20.18.2_LI_Images

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

Date added: 2026-02-25

Due date: 2026-02-27

Required action: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Used in ransomware: Unknown

Notes: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems ; https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk ; https://nvd.nist.gov/vuln/detail/CVE-2026-20127

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20127",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-26T04:55:54.782171Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-02-25",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20127"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T14:44:06.050Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20127"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Cisco Catalyst SD-WAN Manager",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "20.1.12"
            },
            {
              "status": "affected",
              "version": "19.2.1"
            },
            {
              "status": "affected",
              "version": "18.4.4"
            },
            {
              "status": "affected",
              "version": "18.4.5"
            },
            {
              "status": "affected",
              "version": "20.1.1.1"
            },
            {
              "status": "affected",
              "version": "20.1.1"
            },
            {
              "status": "affected",
              "version": "19.3.0"
            },
            {
              "status": "affected",
              "version": "19.2.2"
            },
            {
              "status": "affected",
              "version": "19.2.099"
            },
            {
              "status": "affected",
              "version": "18.3.6"
            },
            {
              "status": "affected",
              "version": "18.3.7"
            },
            {
              "status": "affected",
              "version": "19.2.0"
            },
            {
              "status": "affected",
              "version": "18.3.8"
            },
            {
              "status": "affected",
              "version": "19.0.0"
            },
            {
              "status": "affected",
              "version": "19.1.0"
            },
            {
              "status": "affected",
              "version": "18.4.302"
            },
            {
              "status": "affected",
              "version": "18.4.303"
            },
            {
              "status": "affected",
              "version": "19.2.097"
            },
            {
              "status": "affected",
              "version": "19.2.098"
            },
            {
              "status": "affected",
              "version": "17.2.10"
            },
            {
              "status": "affected",
              "version": "18.3.6.1"
            },
            {
              "status": "affected",
              "version": "19.0.1a"
            },
            {
              "status": "affected",
              "version": "18.2.0"
            },
            {
              "status": "affected",
              "version": "18.4.3"
            },
            {
              "status": "affected",
              "version": "18.4.1"
            },
            {
              "status": "affected",
              "version": "17.2.8"
            },
            {
              "status": "affected",
              "version": "18.3.3.1"
            },
            {
              "status": "affected",
              "version": "18.4.0"
            },
            {
              "status": "affected",
              "version": "18.3.1"
            },
            {
              "status": "affected",
              "version": "17.2.6"
            },
            {
              "status": "affected",
              "version": "17.2.9"
            },
            {
              "status": "affected",
              "version": "18.3.4"
            },
            {
              "status": "affected",
              "version": "17.2.5"
            },
            {
              "status": "affected",
              "version": "18.3.1.1"
            },
            {
              "status": "affected",
              "version": "18.3.5"
            },
            {
              "status": "affected",
              "version": "18.4.0.1"
            },
            {
              "status": "affected",
              "version": "18.3.3"
            },
            {
              "status": "affected",
              "version": "17.2.7"
            },
            {
              "status": "affected",
              "version": "17.2.4"
            },
            {
              "status": "affected",
              "version": "18.3.0"
            },
            {
              "status": "affected",
              "version": "19.2.3"
            },
            {
              "status": "affected",
              "version": "18.4.501_ES"
            },
            {
              "status": "affected",
              "version": "20.3.1"
            },
            {
              "status": "affected",
              "version": "20.1.2"
            },
            {
              "status": "affected",
              "version": "19.2.929"
            },
            {
              "status": "affected",
              "version": "19.2.31"
            },
            {
              "status": "affected",
              "version": "20.3.2"
            },
            {
              "status": "affected",
              "version": "19.2.32"
            },
            {
              "status": "affected",
              "version": "20.3.2_925"
            },
            {
              "status": "affected",
              "version": "20.3.2.1"
            },
            {
              "status": "affected",
              "version": "20.3.2.1_927"
            },
            {
              "status": "affected",
              "version": "18.4.6"
            },
            {
              "status": "affected",
              "version": "20.1.2_937"
            },
            {
              "status": "affected",
              "version": "20.4.1"
            },
            {
              "status": "affected",
              "version": "20.3.2_928"
            },
            {
              "status": "affected",
              "version": "20.3.2_929"
            },
            {
              "status": "affected",
              "version": "20.4.1.0.1"
            },
            {
              "status": "affected",
              "version": "20.3.2.1_930"
            },
            {
              "status": "affected",
              "version": "19.2.4"
            },
            {
              "status": "affected",
              "version": "20.5.0.1.1"
            },
            {
              "status": "affected",
              "version": "20.4.1.1"
            },
            {
              "status": "affected",
              "version": "20.3.3"
            },
            {
              "status": "affected",
              "version": "19.2.4.0.1"
            },
            {
              "status": "affected",
              "version": "20.3.2_937"
            },
            {
              "status": "affected",
              "version": "20.3.3.1"
            },
            {
              "status": "affected",
              "version": "20.5.1"
            },
            {
              "status": "affected",
              "version": "20.1.3"
            },
            {
              "status": "affected",
              "version": "20.3.3.0.4"
            },
            {
              "status": "affected",
              "version": "20.3.3.1.2"
            },
            {
              "status": "affected",
              "version": "20.3.3.1.1"
            },
            {
              "status": "affected",
              "version": "20.4.1.2"
            },
            {
              "status": "affected",
              "version": "20.3.3.0.2"
            },
            {
              "status": "affected",
              "version": "20.4.1.1.5"
            },
            {
              "status": "affected",
              "version": "20.4.1.0.01"
            },
            {
              "status": "affected",
              "version": "20.4.1.0.02"
            },
            {
              "status": "affected",
              "version": "20.3.3.1.7"
            },
            {
              "status": "affected",
              "version": "20.3.3.1.5"
            },
            {
              "status": "affected",
              "version": "20.5.1.0.1"
            },
            {
              "status": "affected",
              "version": "20.3.3.1.10"
            },
            {
              "status": "affected",
              "version": "20.3.3.0.8"
            },
            {
              "status": "affected",
              "version": "20.4.2"
            },
            {
              "status": "affected",
              "version": "20.4.2.0.1"
            },
            {
              "status": "affected",
              "version": "20.3.4"
            },
            {
              "status": "affected",
              "version": "20.3.3.0.14"
            },
            {
              "status": "affected",
              "version": "19.2.4.0.8"
            },
            {
              "status": "affected",
              "version": "19.2.4.0.9"
            },
            {
              "status": "affected",
              "version": "20.3.4.0.1"
            },
            {
              "status": "affected",
              "version": "20.3.2.0.5"
            },
            {
              "status": "affected",
              "version": "20.6.1"
            },
            {
              "status": "affected",
              "version": "20.5.1.0.2"
            },
            {
              "status": "affected",
              "version": "20.3.3.0.17"
            },
            {
              "status": "affected",
              "version": "20.6.1.1"
            },
            {
              "status": "affected",
              "version": "20.6.0.18.3"
            },
            {
              "status": "affected",
              "version": "20.3.2.0.6"
            },
            {
              "status": "affected",
              "version": "20.6.0.18.4"
            },
            {
              "status": "affected",
              "version": "20.4.2.0.2"
            },
            {
              "status": "affected",
              "version": "20.3.3.0.16"
            },
            {
              "status": "affected",
              "version": "20.3.4.0.5"
            },
            {
              "status": "affected",
              "version": "20.6.1.0.1"
            },
            {
              "status": "affected",
              "version": "20.3.4.0.6"
            },
            {
              "status": "affected",
              "version": "20.6.2"
            },
            {
              "status": "affected",
              "version": "20.7.1EFT2"
            },
            {
              "status": "affected",
              "version": "20.3.4.0.9"
            },
            {
              "status": "affected",
              "version": "20.3.4.0.11"
            },
            {
              "status": "affected",
              "version": "20.4.2.0.4"
            },
            {
              "status": "affected",
              "version": "20.3.3.0.18"
            },
            {
              "status": "affected",
              "version": "20.7.1"
            },
            {
              "status": "affected",
              "version": "20.6.2.1"
            },
            {
              "status": "affected",
              "version": "20.3.4.1"
            },
            {
              "status": "affected",
              "version": "20.5.1.1"
            },
            {
              "status": "affected",
              "version": "20.4.2.1"
            },
            {
              "status": "affected",
              "version": "20.4.2.1.1"
            },
            {
              "status": "affected",
              "version": "20.3.4.1.1"
            },
            {
              "status": "affected",
              "version": "20.3.813"
            },
            {
              "status": "affected",
              "version": "20.3.4.0.19"
            },
            {
              "status": "affected",
              "version": "20.4.2.2.1"
            },
            {
              "status": "affected",
              "version": "20.5.1.2"
            },
            {
              "status": "affected",
              "version": "20.3.4.2"
            },
            {
              "status": "affected",
              "version": "20.3.814"
            },
            {
              "status": "affected",
              "version": "20.4.2.2"
            },
            {
              "status": "affected",
              "version": "20.6.2.2"
            },
            {
              "status": "affected",
              "version": "20.3.4.2.1"
            },
            {
              "status": "affected",
              "version": "20.7.1.1"
            },
            {
              "status": "affected",
              "version": "20.3.4.1.2"
            },
            {
              "status": "affected",
              "version": "20.6.2.2.2"
            },
            {
              "status": "affected",
              "version": "20.3.4.0.20"
            },
            {
              "status": "affected",
              "version": "20.6.2.2.3"
            },
            {
              "status": "affected",
              "version": "20.4.2.2.2"
            },
            {
              "status": "affected",
              "version": "20.3.5"
            },
            {
              "status": "affected",
              "version": "20.6.2.0.4"
            },
            {
              "status": "affected",
              "version": "20.4.2.2.3"
            },
            {
              "status": "affected",
              "version": "20.3.4.0.24"
            },
            {
              "status": "affected",
              "version": "20.6.2.2.7"
            },
            {
              "status": "affected",
              "version": "20.6.3"
            },
            {
              "status": "affected",
              "version": "20.3.4.2.2"
            },
            {
              "status": "affected",
              "version": "20.4.2.2.4"
            },
            {
              "status": "affected",
              "version": "20.7.1.0.2"
            },
            {
              "status": "affected",
              "version": "20.8.1"
            },
            {
              "status": "affected",
              "version": "20.3.5.0.8"
            },
            {
              "status": "affected",
              "version": "20.3.5.0.9"
            },
            {
              "status": "affected",
              "version": "20.4.2.2.8"
            },
            {
              "status": "affected",
              "version": "20.3.5.0.7"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.7"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.5"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.10"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.2"
            },
            {
              "status": "affected",
              "version": "20.7.2"
            },
            {
              "status": "affected",
              "version": "20.9.1EFT2"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.11"
            },
            {
              "status": "affected",
              "version": "20.6.3.1"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.14"
            },
            {
              "status": "affected",
              "version": "20.6.4"
            },
            {
              "status": "affected",
              "version": "20.9.1"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.19"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.18"
            },
            {
              "status": "affected",
              "version": "20.3.6"
            },
            {
              "status": "affected",
              "version": "20.9.1.1"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.23"
            },
            {
              "status": "affected",
              "version": "20.6.4.0.4"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.25"
            },
            {
              "status": "affected",
              "version": "20.6.5"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.27"
            },
            {
              "status": "affected",
              "version": "20.9.2"
            },
            {
              "status": "affected",
              "version": "20.9.2.1"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.29"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.31"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.32"
            },
            {
              "status": "affected",
              "version": "20.10.1"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.33"
            },
            {
              "status": "affected",
              "version": "20.9.2.0.01"
            },
            {
              "status": "affected",
              "version": "20.9.1_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.10.1_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.9.2_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.3.7"
            },
            {
              "status": "affected",
              "version": "20.9.3"
            },
            {
              "status": "affected",
              "version": "20.6.5.1"
            },
            {
              "status": "affected",
              "version": "20.11.1"
            },
            {
              "status": "affected",
              "version": "20.11.1_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.9.3_LI_ Images"
            },
            {
              "status": "affected",
              "version": "20.6.3.1.1"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.2"
            },
            {
              "status": "affected",
              "version": "20.6.5.1.2"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.3"
            },
            {
              "status": "affected",
              "version": "20.4.2.3"
            },
            {
              "status": "affected",
              "version": "20.6.3.2"
            },
            {
              "status": "affected",
              "version": "20.6.4.1"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.38"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.39"
            },
            {
              "status": "affected",
              "version": "20.3.5.1"
            },
            {
              "status": "affected",
              "version": "20.3.4.3"
            },
            {
              "status": "affected",
              "version": "20.9.3.1"
            },
            {
              "status": "affected",
              "version": "20.3.3.2"
            },
            {
              "status": "affected",
              "version": "20.6.5.2"
            },
            {
              "status": "affected",
              "version": "20.3.7.1"
            },
            {
              "status": "affected",
              "version": "20.10.1.1"
            },
            {
              "status": "affected",
              "version": "20.6.5.2.1"
            },
            {
              "status": "affected",
              "version": "20.3.4.0.25"
            },
            {
              "status": "affected",
              "version": "20.6.2.2.4"
            },
            {
              "status": "affected",
              "version": "20.6.1.2"
            },
            {
              "status": "affected",
              "version": "20.11.1.1"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.5"
            },
            {
              "status": "affected",
              "version": "20.3.4.0.26"
            },
            {
              "status": "affected",
              "version": "20.6.5.1.3"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.40"
            },
            {
              "status": "affected",
              "version": "20.1.3.1"
            },
            {
              "status": "affected",
              "version": "20.9.2.2"
            },
            {
              "status": "affected",
              "version": "20.6.5.2.3"
            },
            {
              "status": "affected",
              "version": "20.6.5.1.4"
            },
            {
              "status": "affected",
              "version": "20.6.5.3"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.41"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.7"
            },
            {
              "status": "affected",
              "version": "20.6.5.1.5"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.4"
            },
            {
              "status": "affected",
              "version": "20.6.4.0.19"
            },
            {
              "status": "affected",
              "version": "20.6.5.1.6"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.8"
            },
            {
              "status": "affected",
              "version": "20.6.3.3"
            },
            {
              "status": "affected",
              "version": "20.3.7.2"
            },
            {
              "status": "affected",
              "version": "20.6.5.4"
            },
            {
              "status": "affected",
              "version": "20.6.5.1.7"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.12"
            },
            {
              "status": "affected",
              "version": "20.6.4.2"
            },
            {
              "status": "affected",
              "version": "20.6.5.5"
            },
            {
              "status": "affected",
              "version": "20.9.3.2"
            },
            {
              "status": "affected",
              "version": "20.11.1.2"
            },
            {
              "status": "affected",
              "version": "20.6.3.4"
            },
            {
              "status": "affected",
              "version": "20.10.1.2"
            },
            {
              "status": "affected",
              "version": "20.6.5.1.9"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.16"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.45"
            },
            {
              "status": "affected",
              "version": "20.6.5.1.10"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.17"
            },
            {
              "status": "affected",
              "version": "20.6.5.2.4"
            },
            {
              "status": "affected",
              "version": "20.6.4.0.21"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.18"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.46"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.47"
            },
            {
              "status": "affected",
              "version": "20.9.2.3"
            },
            {
              "status": "affected",
              "version": "20.9.3.2_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.21"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.20"
            },
            {
              "status": "affected",
              "version": "20.9.4_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.9.4"
            },
            {
              "status": "affected",
              "version": "20.6.5.1.11"
            },
            {
              "status": "affected",
              "version": "20.12.1"
            },
            {
              "status": "affected",
              "version": "20.12.1_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.6.5.1.13"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.23"
            },
            {
              "status": "affected",
              "version": "20.6.5.2.8"
            },
            {
              "status": "affected",
              "version": "20.9.4.1"
            },
            {
              "status": "affected",
              "version": "20.9.4.1_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.25"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.24"
            },
            {
              "status": "affected",
              "version": "20.6.5.1.14"
            },
            {
              "status": "affected",
              "version": "20.3.8"
            },
            {
              "status": "affected",
              "version": "20.6.6"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.26"
            },
            {
              "status": "affected",
              "version": "20.6.3.0.51"
            },
            {
              "status": "affected",
              "version": "20.9.3.0.29"
            },
            {
              "status": "affected",
              "version": "20.12.2"
            },
            {
              "status": "affected",
              "version": "20.12.2_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.6.6.0.1"
            },
            {
              "status": "affected",
              "version": "20.13.1_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.9.4.0.4"
            },
            {
              "status": "affected",
              "version": "20.13.1"
            },
            {
              "status": "affected",
              "version": "20.9.4.1.1"
            },
            {
              "status": "affected",
              "version": "20.9.5"
            },
            {
              "status": "affected",
              "version": "20.9.5_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.12.3_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.12.3"
            },
            {
              "status": "affected",
              "version": "20.9.4.1.3"
            },
            {
              "status": "affected",
              "version": "20.6.7"
            },
            {
              "status": "affected",
              "version": "20.9.5.1"
            },
            {
              "status": "affected",
              "version": "20.9.5.1_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.9.4.1.6"
            },
            {
              "status": "affected",
              "version": "20.14.1"
            },
            {
              "status": "affected",
              "version": "20.14.1_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.9.5.2"
            },
            {
              "status": "affected",
              "version": "20.9.5.2.1"
            },
            {
              "status": "affected",
              "version": "20.9.5.2_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.12.3.1"
            },
            {
              "status": "affected",
              "version": "20.12.4"
            },
            {
              "status": "affected",
              "version": "20.15.1_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.15.1"
            },
            {
              "status": "affected",
              "version": "20.9.5.1.4"
            },
            {
              "status": "affected",
              "version": "20.9.5.2.7"
            },
            {
              "status": "affected",
              "version": "20.9.5.2.13"
            },
            {
              "status": "affected",
              "version": "20.9.6"
            },
            {
              "status": "affected",
              "version": "20.9.6_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.9.5.2.14"
            },
            {
              "status": "affected",
              "version": "20.6.8"
            },
            {
              "status": "affected",
              "version": "20.12.4.0.03"
            },
            {
              "status": "affected",
              "version": "20.16.1"
            },
            {
              "status": "affected",
              "version": "20.16.1_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.12.4_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.9.5.2.16"
            },
            {
              "status": "affected",
              "version": "20.12.4.0.4"
            },
            {
              "status": "affected",
              "version": "20.12.401"
            },
            {
              "status": "affected",
              "version": "20.9.5.3"
            },
            {
              "status": "affected",
              "version": "20.9.5.3_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.12.4.1_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.12.4.1"
            },
            {
              "status": "affected",
              "version": "20.9.5.2.21"
            },
            {
              "status": "affected",
              "version": "20.9.6.0.3"
            },
            {
              "status": "affected",
              "version": "20.12.4.0.6"
            },
            {
              "status": "affected",
              "version": "20.15.2_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.15.2"
            },
            {
              "status": "affected",
              "version": "20.12.4_Monthly_ES5"
            },
            {
              "status": "affected",
              "version": "20.12.5"
            },
            {
              "status": "affected",
              "version": "20.12.5_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.9.7_LI _Images"
            },
            {
              "status": "affected",
              "version": "20.9.7"
            },
            {
              "status": "affected",
              "version": "20.15.3"
            },
            {
              "status": "affected",
              "version": "20.15.3_ LI _Images"
            },
            {
              "status": "affected",
              "version": "20.12.501"
            },
            {
              "status": "affected",
              "version": "20.12.5.1_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.12.5.1"
            },
            {
              "status": "affected",
              "version": "20.12.5.2_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.12.5.2"
            },
            {
              "status": "affected",
              "version": "20.15.3.1"
            },
            {
              "status": "affected",
              "version": "20.15.4_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.15.4"
            },
            {
              "status": "affected",
              "version": "20.9.7.1_LI _Images"
            },
            {
              "status": "affected",
              "version": "20.9.7.1"
            },
            {
              "status": "affected",
              "version": "20.18.1"
            },
            {
              "status": "affected",
              "version": "20.18.1_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.12.6_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.12.6"
            },
            {
              "status": "affected",
              "version": "20.12.5.1.01"
            },
            {
              "status": "affected",
              "version": "20.9.8"
            },
            {
              "status": "affected",
              "version": "20.9.8_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.18.2"
            },
            {
              "status": "affected",
              "version": "20.15.4.1_LI_Images"
            },
            {
              "status": "affected",
              "version": "20.15.4.1"
            },
            {
              "status": "affected",
              "version": "20.18.2_LI_Images"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.\r\n\r\nThis vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root\u0026nbsp;user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.\u0026nbsp;"
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco PSIRT is aware of limited exploitation of this vulnerability. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "cvssV3_1"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "Improper Authentication",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-25T16:18:10.274Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "cisco-sa-sdwan-rpa-EHchtZk",
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk"
        }
      ],
      "source": {
        "advisory": "cisco-sa-sdwan-rpa-EHchtZk",
        "defects": [
          "CSCws52722"
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2026-20127",
    "datePublished": "2026-02-25T16:14:20.137Z",
    "dateReserved": "2025-10-08T11:59:15.379Z",
    "dateUpdated": "2026-02-26T14:44:06.050Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2026-20127",
      "cwes": "[\"CWE-287\"]",
      "dateAdded": "2026-02-25",
      "dueDate": "2026-02-27",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems ; https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk ; https://nvd.nist.gov/vuln/detail/CVE-2026-20127",
      "product": "Catalyst SD-WAN Controller and Manager",
      "requiredAction": "Please adhere to CISA\u2019s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA\u2019s Emergency Directive 26-03 (URL listed below in Notes) and CISA\u2019s \u201cHunt \u0026 Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.",
      "shortDescription": "Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.",
      "vendorProject": "Cisco",
      "vulnerabilityName": "Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability"
    }
  }
}

CERTFR-2026-ALE-002

Vulnerability from certfr_alerte

Une vulnérabilité a été découverte dans Cisco Catalyst SD-WAN. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Cisco indique que la vulnérabilité CVE-2026-20127 est activement exploitée.

Recherche de compromission

[Mise à jour du 26 février 2026]

Le CERT-FR recommande d'effectuer une recherche de compromission en s'appuyant sur les éléments documentés par Cisco dans son avis de sécurité et un billet de blogue [1] :

Vérification de la légitimité des événements d'appairage des connexions de contrôle (control connection peering events) :
Un exemple de journal est donné ci-dessous. Les valeurs associées à peer-system-ip et public-ip doivent correspondre à des valeurs attendues par rapport à l'architecture du système d'information et de la configuration SD-WAN. De plus le peer-type doit être cohérent avec l'équipement lié à l'adresse peer-system-ip. L'horodatage de l'événement doit être associé à des périodes de maintenance ou d'administration.

Jul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanage peer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005

En complément, le CERT-FR conseille de corréler les informations présentes dans ces événements pour identifier des schémas de reconnaissance ou des tentatives d’accès persistantes. Par exemple en regroupant les activités par peer-type et peer-system-ip. Ces journaux peuvent être présents dans /var/log/tmplog/vdebug, /var/log/vsyslog, /var/log/jsyslog ou /var/log/messages.
Vérification de l'ajout d'une clé d'authentification SSH pour vmanage-admin :
Le compte vmanage-admin est un compte légitime utilisé par le système. Les attaquants sont susceptibles d'avoir ajouté une clé SSH pour ce compte et de l'utiliser pour se connecter à l'équipement.
Il est nécessaire de valider que les événements d'authentification liée à l'utilisation d'une clé publique pour le compte vmanage-admin peuvent être reliés à une adresse IP connue et légitime. Ces événements sont notamment listés dans /var/log/auth.log. Un exemple de journal de ce type de connexion est présenté ci-dessous.

    2026-02-10T22:51:36+00:00 vm  sshd[804]: Accepted publickey for vmanage-admin from port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY]

La présence de clés inconnues dans /home/vmanage-admin/.ssh/authorized_keys/ est également un indicateur de compromission.
Détection de rétrogradation de la version du système :
Les attaquants sont susceptibles d'avoir rétrogradé la version du système dans l'optique d'exploiter des vulnérabilités applicables à des versions antérieures, telle que la vulnérabilité CVE‑2022‑20775. La version système est par la suite restaurée.
Les journaux suivants sont des indicateurs de rétrogradation :

Waiting for upgrade confirmation from user. Device will revert to previous software version  in '100' seconds unless confirmed.

Software upgrade not confirmed. Reverting to previous software version

La présence d'utilisateurs avec des noms anormaux et associés à des attaques de type traversée de chemin (path traversal) peut indiquer la tentative d'exploitation de la vulnérabilité CVE-2022-20775. /../../ et /\n&../\n&../ sont des exemples de ce type d'attaque.
Détection de journaux tronqués, effacés ou absents :
Les attaquants sont susceptibles d'avoir modifié les journaux pour rendre plus complexe la détection de leurs actions. La présence de journaux de taille anormalement faible (0, 1 ou 2 octets) est un indicateur de compromission.
La modification et la suppression d'entrées dans les journaux suivants doivent aussi être vérifiées :
- syslog
- wtmp
- lastlog
- cli-history
- bash_history
- journaux présents dans /var/log/
Vérification des activités anormales de certains utilisateurs. Les éléments suivants doivent être étudiés :
Création, utilisation et suppression de comptes utilisateurs malveillants, y compris l’absence de bash_history et de cli‑history ;
Présence d’un fichier cli‑history pour un utilisateur sans le bash history correspondant ;
Sessions root interactives sur des systèmes de production, avec des clés SSH non répertoriées, des known hosts et un historique bash. Par exemple :
Clés SSH dans : /home/root/.ssh/authorized_keys avec PermitRootLogin réglé sur yes dans/etc/ssh/sshd_config
Known hosts dans : /home/root/.ssh/known_hosts

Notification: system-login-change severity-level:minor host-name:"" system-ip: user-name:""root""

Cisco recommande également de consulter le guide de recherche de compromission rédigé par l'Australian Cyber Security Centre [2] ainsi que le guide de durcissement de Catalyst SD-WAN [3].

En cas de suspicion de compromission consulter les fiches réflexes de compromission d'un équipement de bordure réseau [4][5] et signaler l’événement auprès du CERT-FR.

Solutions

[Publication Initiale]

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Cisco indique que la publication de la version corrective 20.9.8.2 pour Catalyst SD-WAN est prévue le 27 février 2026. Les versions 20.11.x, 20.13.x, 20.14.x et 20.16.x sont affectées par la vulnérabilité mais ne bénéficieront pas de correctifs de sécurité car elles ont atteint la fin de période de maintenance. Le CERT-FR recommande de migrer vers une version maintenue et avec les derniers correctifs de sécurité.

L'éditeur précise aussi que la solution Cisco SD-WAN a été renommée Cisco Catalyst SD-WAN. L'avis éditeur indique également d'autres changements de noms pour les composants de cette solution.

Impacted products

Vendor	Product	Description
Cisco	Catalyst SD-WAN	Catalyst SD-WAN versions 20.12.6.x antérieures à 20.12.6.1
Cisco	Catalyst SD-WAN	Catalyst SD-WAN versions antérieures à 20.9.8.2
Cisco	Catalyst SD-WAN	Catalyst SD-WAN versions 20.15.x antérieures à 20.15.4.2
Cisco	Catalyst SD-WAN	Catalyst SD-WAN versions 20.12.5.x antérieures à 20.12.5.3
Cisco	Catalyst SD-WAN	Catalyst SD-WAN versions 20.18.x antérieures à 20.18.2.1

References

Title

Publication Time

Tags

Bulletin de sécurité Cisco	2026-02-25	vendor-advisory
[3] Guide de durcissement de Catalyst SD-WAN	-	other
[2] Cisco SD-WAN Threat hunt guide, version 2.4 du 25 février 2026	-	other
[1] Billet de blogue de Cisco Talos du 25 février 2026 relatif à l'exploitation de vulnérabilités dans Catalyst SD-WAN	-	other
[4] Compromission d'un équipement de bordure réseau - Qualification	-	other
Avis CERTFR-2026-AVI-0210	-	other
[5] Compromission d'un équipement de bordure réseau - Endiguement	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Catalyst SD-WAN versions 20.12.6.x ant\u00e9rieures \u00e0 20.12.6.1",
      "product": {
        "name": "Catalyst SD-WAN",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Catalyst SD-WAN versions ant\u00e9rieures \u00e0 20.9.8.2",
      "product": {
        "name": "Catalyst SD-WAN",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Catalyst SD-WAN versions 20.15.x ant\u00e9rieures \u00e0 20.15.4.2",
      "product": {
        "name": "Catalyst SD-WAN",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Catalyst SD-WAN versions 20.12.5.x ant\u00e9rieures \u00e0 20.12.5.3",
      "product": {
        "name": "Catalyst SD-WAN",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Catalyst SD-WAN versions 20.18.x ant\u00e9rieures \u00e0 20.18.2.1",
      "product": {
        "name": "Catalyst SD-WAN",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "Cisco indique que la publication de la version corrective 20.9.8.2 pour Catalyst SD-WAN est pr\u00e9vue le 27 f\u00e9vrier 2026. Les versions 20.11.x, 20.13.x, 20.14.x et 20.16.x sont affect\u00e9es par la vuln\u00e9rabilit\u00e9 mais ne b\u00e9n\u00e9ficieront pas de correctifs de s\u00e9curit\u00e9 car elles ont atteint la fin de p\u00e9riode de maintenance. Le CERT-FR recommande de migrer vers une version maintenue et avec les derniers correctifs de s\u00e9curit\u00e9.\n\nL\u0027\u00e9diteur pr\u00e9cise aussi que la solution Cisco SD-WAN a \u00e9t\u00e9 renomm\u00e9e Cisco Catalyst SD-WAN. L\u0027avis \u00e9diteur indique \u00e9galement d\u0027autres changements de noms pour les composants de cette solution. ",
  "closed_at": "2026-03-26",
  "content": "## Recherche de compromission\n\n\u003cspan class=\"important-content\"\u003e**[Mise \u00e0 jour du 26 f\u00e9vrier 2026]**\u003c/span\u003e\n\nLe CERT-FR recommande d\u0027effectuer une recherche de compromission en s\u0027appuyant sur les \u00e9l\u00e9ments document\u00e9s par Cisco dans son avis de s\u00e9curit\u00e9 et un billet de blogue [1]  : \n\n1. V\u00e9rification de la l\u00e9gitimit\u00e9 des \u00e9v\u00e9nements d\u0027appairage des connexions de contr\u00f4le (*control connection peering events*) :\n   \n* Un exemple de journal est donn\u00e9 ci-dessous. Les valeurs associ\u00e9es \u00e0 `peer-system-ip` et `public-ip` doivent correspondre \u00e0 des valeurs attendues par rapport \u00e0 l\u0027architecture du syst\u00e8me d\u0027information et de la configuration SD-WAN. De plus le `peer-type` doit \u00eatre coh\u00e9rent avec l\u0027\u00e9quipement li\u00e9 \u00e0 l\u0027adresse `peer-system-ip`. L\u0027horodatage de l\u0027\u00e9v\u00e9nement doit \u00eatre associ\u00e9 \u00e0 des p\u00e9riodes de maintenance ou d\u0027administration. \n\u003cpre\u003e\nJul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanage peer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005\n\u003c/pre\u003e\n* En compl\u00e9ment, le CERT-FR conseille de corr\u00e9ler les informations pr\u00e9sentes dans ces \u00e9v\u00e9nements pour identifier des sch\u00e9mas de reconnaissance ou des tentatives d\u2019acc\u00e8s persistantes. Par exemple en regroupant les activit\u00e9s par `peer-type` et `peer-system-ip`. Ces journaux peuvent \u00eatre pr\u00e9sents dans `/var/log/tmplog/vdebug`, `/var/log/vsyslog`, `/var/log/jsyslog` ou `/var/log/messages`.\n\n2. V\u00e9rification de l\u0027ajout d\u0027une cl\u00e9 d\u0027authentification SSH pour `vmanage-admin` :\n\n* Le compte `vmanage-admin` est un compte l\u00e9gitime utilis\u00e9 par le syst\u00e8me. Les attaquants sont susceptibles d\u0027avoir ajout\u00e9 une cl\u00e9 SSH pour ce compte et de l\u0027utiliser pour se connecter \u00e0 l\u0027\u00e9quipement. \n* Il est n\u00e9cessaire de valider que les \u00e9v\u00e9nements d\u0027authentification li\u00e9e \u00e0 l\u0027utilisation d\u0027une cl\u00e9 publique pour le compte `vmanage-admin` peuvent \u00eatre reli\u00e9s \u00e0 une adresse IP connue et l\u00e9gitime. Ces \u00e9v\u00e9nements sont notamment list\u00e9s dans `/var/log/auth.log`. Un exemple de journal de ce type de connexion est pr\u00e9sent\u00e9 ci-dessous.\n\u003cpre\u003e\n    2026-02-10T22:51:36+00:00 vm  sshd[804]: Accepted publickey for vmanage-admin from port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY]\n\u003c/pre\u003e\n* La pr\u00e9sence de cl\u00e9s inconnues dans `/home/vmanage-admin/.ssh/authorized_keys/` est \u00e9galement un indicateur de compromission.\n\n3. D\u00e9tection de r\u00e9trogradation de la version du syst\u00e8me :\n\n* Les attaquants sont susceptibles d\u0027avoir r\u00e9trograd\u00e9 la version du syst\u00e8me dans l\u0027optique d\u0027exploiter des vuln\u00e9rabilit\u00e9s applicables \u00e0 des versions ant\u00e9rieures, telle que la vuln\u00e9rabilit\u00e9 CVE\u20112022\u201120775. La version syst\u00e8me est par la suite restaur\u00e9e.\n* Les journaux suivants sont des indicateurs de r\u00e9trogradation :\n\u003cpre\u003e\nWaiting for upgrade confirmation from user. Device will revert to previous software version \u003cversion\u003e in \u0027100\u0027 seconds unless confirmed.\n\u003c/pre\u003e\n\u003cpre\u003e\nSoftware upgrade not confirmed. Reverting to previous software version\n\u003c/pre\u003e\n* La pr\u00e9sence d\u0027utilisateurs avec des noms anormaux et associ\u00e9s \u00e0 des attaques de type travers\u00e9e de chemin (*path traversal*) peut indiquer la tentative d\u0027exploitation de la vuln\u00e9rabilit\u00e9 CVE-2022-20775.  `/../../` et `/\\n\u0026../\\n\u0026../` sont des exemples de ce type d\u0027attaque. \n4. D\u00e9tection de journaux tronqu\u00e9s, effac\u00e9s ou absents :\n\n* Les attaquants sont susceptibles d\u0027avoir modifi\u00e9 les journaux pour rendre plus complexe la d\u00e9tection de leurs actions. La pr\u00e9sence de journaux de taille anormalement faible (0, 1 ou 2 octets) est un indicateur de compromission.\n* La modification et la suppression d\u0027entr\u00e9es dans les journaux suivants doivent aussi \u00eatre v\u00e9rifi\u00e9es : \n     * `syslog`\n     * `wtmp`\n     * `lastlog`\n     * `cli-history`\n     * `bash_history`\n     * journaux pr\u00e9sents dans `/var/log/`\n5. V\u00e9rification des activit\u00e9s anormales de certains utilisateurs. Les \u00e9l\u00e9ments suivants doivent \u00eatre \u00e9tudi\u00e9s :\n\n* Cr\u00e9ation, utilisation et suppression de comptes utilisateurs malveillants, y compris l\u2019absence de `bash_history` et de `cli\u2011history` ; \n* Pr\u00e9sence d\u2019un fichier `cli\u2011history` pour un utilisateur sans le bash history correspondant ; \n* Sessions root interactives sur des syst\u00e8mes de production, avec des cl\u00e9s SSH non r\u00e9pertori\u00e9es, des known hosts et un historique bash. Par exemple\u202f:\n   * Cl\u00e9s SSH dans\u202f:   `/home/root/.ssh/authorized_keys` avec `PermitRootLogin` r\u00e9gl\u00e9 sur `yes` dans`/etc/ssh/sshd_config`\n   * Known hosts dans\u202f: `/home/root/.ssh/known_hosts`\n\u003cpre\u003e\nNotification: system-login-change severity-level:minor host-name:\"\u003cnode_name\u003e\" system-ip:\u003cIP\u003e user-name:\"\"root\"\"\n\u003c/pre\u003e\n\nCisco recommande \u00e9galement de consulter le guide de recherche de compromission r\u00e9dig\u00e9 par l\u0027Australian Cyber Security Centre [2] ainsi que le guide de durcissement de Catalyst SD-WAN [3].\n\nEn cas de suspicion de compromission consulter les fiches r\u00e9flexes de compromission d\u0027un \u00e9quipement de bordure r\u00e9seau [4][5] et signaler l\u2019\u00e9v\u00e9nement aupr\u00e8s du CERT-FR.\n\n## Solutions\n\n**[Publication Initiale]**\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2026-20127",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-20127"
    },
    {
      "name": "CVE-2022-20775",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-20775"
    }
  ],
  "initial_release_date": "2026-02-25T00:00:00",
  "last_revision_date": "2026-03-26T00:00:00",
  "links": [
    {
      "title": "[3] Guide de durcissement de Catalyst SD-WAN",
      "url": "https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide"
    },
    {
      "title": "[2] Cisco SD-WAN Threat hunt guide, version 2.4 du 25 f\u00e9vrier 2026",
      "url": "https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf"
    },
    {
      "title": "[1] Billet de blogue de Cisco Talos du 25 f\u00e9vrier 2026 relatif \u00e0 l\u0027exploitation de vuln\u00e9rabilit\u00e9s dans Catalyst SD-WAN",
      "url": "https://blog.talosintelligence.com/uat-8616-sd-wan/"
    },
    {
      "title": "[4] Compromission d\u0027un \u00e9quipement de bordure r\u00e9seau - Qualification",
      "url": "https://www.cert.ssi.gouv.fr/fiche/CERTFR-2025-RFX-001/"
    },
    {
      "title": "Avis CERTFR-2026-AVI-0210",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0210/"
    },
    {
      "title": "[5] Compromission d\u0027un \u00e9quipement de bordure r\u00e9seau - Endiguement",
      "url": "https://www.cert.ssi.gouv.fr/fiche/CERTFR-2025-RFX-002/ "
    }
  ],
  "reference": "CERTFR-2026-ALE-002",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-02-25T00:00:00.000000"
    },
    {
      "description": "Ajout de compl\u00e9ments li\u00e9s \u00e0 la recherche de compromission",
      "revision_date": "2026-02-26T00:00:00.000000"
    },
    {
      "description": " Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
      "revision_date": "2026-03-26T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Cisco Catalyst SD-WAN. Elle permet \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n\nCisco indique que la vuln\u00e9rabilit\u00e9 CVE-2026-20127 est activement exploit\u00e9e.",
  "title": "[M\u00e0J] Vuln\u00e9rabilit\u00e9 dans Cisco Catalyst SD-WAN",
  "vendor_advisories": [
    {
      "published_at": "2026-02-25",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk"
    }
  ]
}

CERTFR-2026-AVI-0210

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans Cisco Catalyst SD-WAN. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et une atteinte à la confidentialité des données.

Cisco indique que la vulnérabilité CVE-2026-20127 est activement exploitée.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Cisco indique que la publication de la version corrective 20.9.8.2 pour Catalyst SD-WAN et Catalyst SD-WAN Manager est prévue le 27 février 2026. Les versions 20.11.x, 20.13.x, 20.14.x et 20.16.x sont affectées par les vulnérabilités mais ne bénéficieront pas de correctifs de sécurité car elles ont atteint la fin de période de maintenance. Le CERT-FR recommande de migrer vers une version maintenue et avec les derniers correctifs de sécurité.

L'éditeur précise aussi que la solution Cisco SD-WAN a été renommée Cisco Catalyst SD-WAN. Les avis éditeurs indiquent également d'autres changements de noms pour les composants de cette solution.

Impacted products

Vendor	Product	Description
Cisco	Catalyst SD-WAN	Catalyst SD-WAN et Catalyst SD-WAN Manager versions antérieures à 20.9.8.2
Cisco	Catalyst SD-WAN	Catalyst SD-WAN et Catalyst SD-WAN Manager versions 20.12.6.x antérieures à 20.12.6.1
Cisco	Catalyst SD-WAN	Catalyst SD-WAN et Catalyst SD-WAN Manager versions 20.15.x antérieures à 20.15.4.2
Cisco	Catalyst SD-WAN	Catalyst SD-WAN et Catalyst SD-WAN Manager versions 20.18.x antérieures à 20.18.2.1
Cisco	Catalyst SD-WAN	Catalyst SD-WAN et Catalyst SD-WAN Manager versions 20.12.5.x antérieures à 20.12.5.3

References

Title

Publication Time

Tags

Bulletin de sécurité Cisco cisco-sa-sdwan-authbp-qwCX8D4v	2026-02-25	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-sdwan-rpa-EHchtZk	2026-02-25	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Catalyst SD-WAN et Catalyst SD-WAN Manager versions ant\u00e9rieures \u00e0 20.9.8.2",
      "product": {
        "name": "Catalyst SD-WAN",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Catalyst SD-WAN et Catalyst SD-WAN Manager versions 20.12.6.x ant\u00e9rieures \u00e0 20.12.6.1",
      "product": {
        "name": "Catalyst SD-WAN",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Catalyst SD-WAN et Catalyst SD-WAN Manager versions 20.15.x ant\u00e9rieures \u00e0 20.15.4.2",
      "product": {
        "name": "Catalyst SD-WAN",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Catalyst SD-WAN et Catalyst SD-WAN Manager versions 20.18.x ant\u00e9rieures \u00e0 20.18.2.1",
      "product": {
        "name": "Catalyst SD-WAN",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Catalyst SD-WAN et Catalyst SD-WAN Manager versions 20.12.5.x ant\u00e9rieures \u00e0 20.12.5.3",
      "product": {
        "name": "Catalyst SD-WAN",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "Cisco indique que la publication de la version corrective 20.9.8.2 pour Catalyst SD-WAN et Catalyst SD-WAN Manager est pr\u00e9vue le 27 f\u00e9vrier 2026. Les versions 20.11.x, 20.13.x, 20.14.x et 20.16.x sont affect\u00e9es par les vuln\u00e9rabilit\u00e9s mais ne b\u00e9n\u00e9ficieront pas de correctifs de s\u00e9curit\u00e9 car elles ont atteint la fin de p\u00e9riode de maintenance. Le CERT-FR recommande de migrer vers une version maintenue et avec les derniers correctifs de s\u00e9curit\u00e9.\n\nL\u0027\u00e9diteur pr\u00e9cise aussi que la solution Cisco SD-WAN a \u00e9t\u00e9 renomm\u00e9e Cisco Catalyst SD-WAN. Les avis \u00e9diteurs indiquent \u00e9galement d\u0027autres changements de noms pour les composants de cette solution. ",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2026-20126",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-20126"
    },
    {
      "name": "CVE-2026-20128",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-20128"
    },
    {
      "name": "CVE-2026-20122",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-20122"
    },
    {
      "name": "CVE-2026-20129",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-20129"
    },
    {
      "name": "CVE-2026-20127",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-20127"
    },
    {
      "name": "CVE-2026-20133",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-20133"
    }
  ],
  "initial_release_date": "2026-02-25T00:00:00",
  "last_revision_date": "2026-02-25T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0210",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-02-25T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Cisco Catalyst SD-WAN. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n\nCisco indique que la vuln\u00e9rabilit\u00e9 CVE-2026-20127 est activement exploit\u00e9e.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Cisco Catalyst SD-WAN",
  "vendor_advisories": [
    {
      "published_at": "2026-02-25",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-sdwan-authbp-qwCX8D4v",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v"
    },
    {
      "published_at": "2026-02-25",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-sdwan-rpa-EHchtZk",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2026-20127 (GCVE-0-2026-20127)

Vulnerability from cvelistv5

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

CERTFR-2026-ALE-002

Vulnerability from certfr_alerte

Recherche de compromission

Solutions

CERTFR-2026-AVI-0210

Vulnerability from certfr_avis

Solutions

Tags

Sightings

Nomenclature