CVE-2026-20127: Cisco SD-WAN Zero-Day Exploited Since 2023

CVE-2026-20127 is a critical authentication bypass in Cisco Catalyst SD‑WAN Controller and Manager that is being actively exploited (tracked by Cisco Talos as UAT-8616). Exploitation can grant administrative control of the SD‑WAN control plane—allowing attackers to add rogue peers, manipulate NETCONF, escalate to root, persist via version downgrade/restore chains—and has triggered a CISA Emergency Directive; Cisco recommends upgrading to fixed releases, restricting exposure, auditing logs, and engaging TAC if compromise is suspected.