critical advisory February 27, 2026

Critical RCE Vulnerability in Cisco Catalyst SD-WAN Controller

A critical remote code execution vulnerability exists in Cisco Catalyst SD-WAN Controllers (CVE-2026-20127) due to improper authentication, allowing unauthenticated remote attackers to bypass authentication and gain administrative privileges, potentially leading to network configuration manipulation.

A critical vulnerability, CVE-2026-20127, affects Cisco Catalyst SD-WAN Controllers. The vulnerability stems from an improper authentication mechanism, which can be exploited by unauthenticated remote attackers. Successful exploitation allows bypassing authentication and gaining administrative privileges. This access could allow the attacker to log in as a high-privileged, non-root user, gaining access to NETCONF, and enabling the manipulation of the SD-WAN fabric’s network configuration. The…

Detection coverage 2

Detect NETCONF Access from Non-Standard Locations

medium

Detects NETCONF access attempts originating from unusual or unexpected source IP addresses, potentially indicating unauthorized access following exploitation of CVE-2026-20127.

sigma tactics: initial_access, privilege_escalation techniques: T1550.002 sources: network_connection, linux

Detect auth.log anomalies

high

Detects suspicious patterns in the auth.log that could indicate successful or attempted exploitation

sigma tactics: initial_access, privilege_escalation sources: process_creation, linux

Detection queries are kept inside the platform. Get full rules →

Indicators of compromise

url