CISCO-SA-SDWAN-RPA-EHCHTZK

Vulnerability from csaf_cisco - Published: 2026-02-25 16:00 - Updated: 2026-02-25 16:00
Summary
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability

Notes

Summary
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Vulnerable Products
This vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, regardless of device configuration. This vulnerability affects the following deployment types: On-Prem Deployment Cisco Hosted SD-WAN Cloud Cisco Hosted SD-WAN Cloud - Cisco Managed Cisco Hosted SD-WAN Cloud - FedRAMP Environment For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by these vulnerabilities.
Details
Important: To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes apply: Cisco SD-WAN Controllers are now Cisco Catalyst SD-WAN Control Components Cisco SD-WAN vAnalytics is now Cisco Catalyst SD-WAN Analytics Cisco SD-WAN vBond is now Cisco Catalyst SD-WAN Validator Cisco SD-WAN vManage is now Cisco Catalyst SD-WAN Manager Cisco SD-WAN vSmart is now Cisco Catalyst SD-WAN Controller For a comprehensive list of all the component brand name changes, see the latest Release Notes. During the transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product.
Indicators of Compromise
Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise. Customers are encouraged to audit the auth.log file, located at /var/log/auth.log, for entries that are related to Accepted publickey for vmanage-admin from unknown or unauthorized IP addresses, as shown in the following example: 2026-02-10T22:51:36+00:00 vm <auth.info> sshd[804]: Accepted publickey for vmanage-admin from <SYSTEM IP ADDRESS> port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY] Customers must check the IP address in the auth.log log file against the configured System IPs that are listed in the Cisco Catalyst SD-WAN Manager web UI in the WebUI > Devices > System IP column. For help determining if a Cisco Catalyst SD-WAN Controller or Cisco Catalyst SD-WAN Manager has been compromised, customers should open a case with the Cisco Technical Assistance Center (TAC). Before opening a new TAC case, customers are encouraged to issue the request admin-tech command from each of the control components in the SD-WAN deployment so that the admin-tech file can be provided to the Cisco TAC for review. Peering Event Validation Guidance All control connection peering events identified in Cisco Catalyst SD-WAN logs require manual validation to confirm their legitimacy, with a specific focus placed on vmanage peering types. Threat actors who compromise SD-WAN infrastructure often establish unauthorized peer connections that may appear superficially normal but occur at unexpected times, originate from unrecognized IP addresses, or involve device types inconsistent with the environment's architecture. A comprehensive review process is essential to distinguish between legitimate network operations and potential indicators of compromise. Validation Checklist Verify the timestamp of each peering event against known maintenance windows, scheduled configuration changes, and normal operational hours for your environment. Confirm the public IP address corresponds to infrastructure owned or operated by your organization or authorized partners by cross-referencing against asset inventories and authorized IP ranges. Validate that the peer system IP matches documented device assignments within your SD-WAN topology. Review the peer type (vmanage, vsmart, vedge, vbond) to ensure it aligns with expected device roles in your deployment. Correlate multiple events from the same source IP or system IP to identify patterns of reconnaissance or persistent access attempts. Cross-reference event timing with authentication logs, change management records, and user activity to establish whether the connection was initiated by authorized personnel. Example Log Entry Jul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanagepeer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005 In the identified example, the peer-system-ip should be validated as matching the expected IP address schema in-use, the timestamp should be validated as matching any events that might cause a peering event to occur and the public-ip should be validated as being an expected source for a peering event.
Workarounds
There are no workarounds that address this vulnerability. However, as a mitigation customers may use the following guidance to temporarily mitigate the impact of this vulnerability while they are planning to upgrade to a first fixed release. Action Owner On-Prem Deployment Customer Follow the guidelines in the Firewall Ports for Cisco Catalyst SD-WAN Deployments ["https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/cisco-sd-wan-overlay-network-bringup.html#c_Firewall_Ports_for_Viptela_Deployments_8690.xml"] section of the Cisco Catalyst SD-WAN Getting Started Guide. Customers who host their own Cisco Catalyst SD-WAN deployment in their own data centers must secure intra-controller connectivity. Cisco recommends adding the access control lists (ACLs), security group rules, and/or firewall rules to restrict the traffic to port 22 and port 830 to allow only known controller IPs and other known IPs. Action Owner Cisco Hosted SD-WAN Cloud Customer These guardrails are in place for Cisco Hosted SD-WAN Cloud. Action Owner Cisco Hosted SD-WAN Cloud - FedRAMP Environment Customer These guardrails are in place for Cisco Hosted SD-WAN Cloud - FedRAMP Environment. Action Owner Cisco Hosted SD-WAN Cloud - Cisco Managed Customer and Cisco These guardrails are in place for Cisco Hosted SD-WAN Cloud - Cisco Managed. While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
Fixed Software
Cisco considers any workarounds and mitigations (if applicable) to be temporary solutions until an upgrade to a fixed software release is available. To fully remediate these vulnerabilities and avoid future exposure as described in this advisory, Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory. Fixed Releases In the following table, the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability. Customers are advised to upgrade to an appropriate fixed software release ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"] as indicated in this section. Cisco Catalyst SD-WAN Release First Fixed Release Earlier than 20.91 Migrate to a fixed release. 20.9 20.9.8.2 (Estimated release February 27, 2026) 20.111 20.12.6.1 20.12.5 20.12.6 20.12.5.3 20.12.6.1 20.131 20.15.4.2 20.141 20.15.4.2 20.15 20.15.4.2 20.161 20.18.2.1 20.18 20.18.2.1 1. These releases have reached End of Software Maintenance ["https://www.cisco.com/c/en/us/products/routers/sd-wan/eos-eol-notice-listing.html"]. Cisco strongly encourages customers to upgrade to a supported release ["https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/compatibility-and-server-recommendations.html"]. The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Additional Information To check component and software release compatibility, see the SD-WAN Controller Component Compatibility Matrix ["https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/catalyst_sdwan_compatibility_matrix/index.html"]. For help planning an upgrade, Cisco Catalyst SD-WAN Upgrade Matrix ["https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/catalyst-sdwan-upgrade-matrix/index.html"].
Recommendations
Cisco recommends upgrading the affected systems to a fixed software release. General Recommendations for Hardening Prevent access from unsecured networks, such as the internet, to the system. If internet access to the system is required, restrict system access to only known, trusted hosts on ports/protocols that are included in the user guides. Protect Cisco Catalyst SD-WAN Control Components behind a filtering device such as a firewall, and filter traffic to and from the systems while allowing only known, trusted hosts to send traffic to the systems. Using a two-layer firewall can provide flexibility in network planning so that end users do not connect directly to the outer DMZ. See the Deployment sections of the User Guides for Cisco Catalyst SD-WAN software ["https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#DeploymentPlanning"]. Regularly monitor web log traffic for any unexpected traffic to and from systems. Logging should be sent to an external server, if possible, and kept for a long enough duration so that post-event investigations can be performed with sufficient log data. Disable HTTP for the Cisco Catalyst SD-WAN Manager web UI administrator portal. Disable any network services that are not required, including HTTP and FTP. For more information about specific service functionality, see the Cisco Catalyst SD-WAN user guides. Upgrade the system to the latest version of Cisco Catalyst SD-WAN Software. Change the default administrator password to a more secure variant. Restrict access to the administrator account by creating user accounts based on necessary access requirements. In addition, create operator accounts for all administrators. Use SSL/TLS, obtain an SSL certificate from a certificate authority (CA), or create a self-signed certificate. For more information, review the Cisco Catalyst SD-WAN Hardening Guide ["https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide"].
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements
The Cisco PSIRT is aware of limited exploitation of this vulnerability. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.
Source
Cisco would like to thank Australian Signals Directorate’s Australian Cyber Security Centre for reporting this vulnerability.
Legal Disclaimer
SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT The Cisco Support and Downloads ["https://www.cisco.com/c/en/us/support/index.html"] page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid. Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC) ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"]. Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories ["https://www.cisco.com/go/psirt"] for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"] or their contracted maintenance providers. LEGAL DISCLAIMER DETAILS CISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Copies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories ["https://www.cisco.com/go/psirt"] page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"] for more information.
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "summary": "Cisco would like to thank Australian Signals Directorate\u2019s Australian Cyber Security Centre for reporting this vulnerability."
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.\r\n\r\nThis vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.\r\n\r\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\r\n\r\n",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "This vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, regardless of device configuration.\r\n\r\nThis vulnerability affects the following deployment types:\r\n\r\nOn-Prem Deployment\r\nCisco Hosted SD-WAN Cloud\r\nCisco Hosted SD-WAN Cloud - Cisco Managed\r\nCisco Hosted SD-WAN Cloud - FedRAMP Environment\r\n\r\nFor information about which Cisco software releases are vulnerable, see the Fixed Software [\"#fs\"] section of this advisory.",
        "title": "Vulnerable Products"
      },
      {
        "category": "general",
        "text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by these vulnerabilities.",
        "title": "Products Confirmed Not Vulnerable"
      },
      {
        "category": "general",
        "text": "Important: To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes apply:\r\n\r\nCisco SD-WAN Controllers are now Cisco Catalyst SD-WAN Control Components\r\nCisco SD-WAN vAnalytics is now Cisco Catalyst SD-WAN Analytics\r\nCisco SD-WAN vBond is now Cisco Catalyst SD-WAN Validator\r\nCisco SD-WAN vManage is now Cisco Catalyst SD-WAN Manager\r\nCisco SD-WAN vSmart is now Cisco Catalyst SD-WAN Controller\r\n\r\nFor a comprehensive list of all the component brand name changes, see the latest Release Notes. During the transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product.",
        "title": "Details"
      },
      {
        "category": "general",
        "text": "Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise.\r\n\r\nCustomers are encouraged to audit the auth.log file, located at /var/log/auth.log, for entries that are related to Accepted publickey for vmanage-admin from unknown or unauthorized IP addresses, as shown in the following example:\r\n\r\n\r\n2026-02-10T22:51:36+00:00 vm \u003cauth.info\u003e sshd[804]: Accepted publickey for vmanage-admin from \u003cSYSTEM IP ADDRESS\u003e port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY]\r\n\r\nCustomers must check the IP address in the auth.log log file against the configured System IPs that are listed in the Cisco Catalyst SD-WAN Manager web UI in the WebUI \u003e Devices \u003e System IP column.\r\n\r\nFor help determining if a Cisco Catalyst SD-WAN Controller or Cisco Catalyst SD-WAN Manager has been compromised, customers should open a case with the Cisco Technical Assistance Center (TAC). Before opening a new TAC case, customers are encouraged to issue the request admin-tech command from each of the control components in the SD-WAN deployment so that the admin-tech file can be provided to the Cisco TAC for review.\r\n\r\nPeering Event Validation Guidance\r\n\r\nAll control connection peering events identified in Cisco Catalyst SD-WAN logs require manual validation to confirm their legitimacy, with a specific focus placed on vmanage peering types. Threat actors who compromise SD-WAN infrastructure often establish unauthorized peer connections that may appear superficially normal but occur at unexpected times, originate from unrecognized IP addresses, or involve device types inconsistent with the environment\u0027s architecture. A comprehensive review process is essential to distinguish between legitimate network operations and potential indicators of compromise.\r\n\r\nValidation Checklist\r\n\r\nVerify the timestamp of each peering event against known maintenance windows, scheduled configuration changes, and normal operational hours for your environment.\r\nConfirm the public IP address corresponds to infrastructure owned or operated by your organization or authorized partners by cross-referencing against asset inventories and authorized IP ranges.\r\nValidate that the peer system IP matches documented device assignments within your SD-WAN topology.\r\nReview the peer type (vmanage, vsmart, vedge, vbond) to ensure it aligns with expected device roles in your deployment.\r\nCorrelate multiple events from the same source IP or system IP to identify patterns of reconnaissance or persistent access attempts.\r\nCross-reference event timing with authentication logs, change management records, and user activity to establish whether the connection was initiated by authorized personnel.\r\n\r\nExample Log Entry\r\n\r\n\r\nJul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanagepeer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005\r\n\r\nIn the identified example, the peer-system-ip should be validated as matching the expected IP address schema in-use, the timestamp should be validated as matching any events that might cause a peering event to occur and the public-ip should be validated as being an expected source for a peering event.",
        "title": "Indicators of Compromise"
      },
      {
        "category": "general",
        "text": "There are no workarounds that address this vulnerability. However, as a mitigation customers may use the following guidance to temporarily mitigate the impact of this vulnerability while they are planning to upgrade to a first fixed release.\r\n        Action Owner  On-Prem Deployment          Customer  Follow the guidelines in the Firewall Ports for Cisco Catalyst SD-WAN Deployments [\"https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/cisco-sd-wan-overlay-network-bringup.html#c_Firewall_Ports_for_Viptela_Deployments_8690.xml\"] section of the Cisco Catalyst SD-WAN Getting Started Guide.\r\n   Customers who host their own Cisco Catalyst SD-WAN deployment in their own data centers must secure intra-controller connectivity. Cisco recommends adding the access control lists (ACLs), security group rules, and/or firewall rules to restrict the traffic to port 22 and port 830 to allow only known controller IPs and other known IPs.      Action Owner  Cisco Hosted SD-WAN Cloud      Customer  These guardrails are in place for Cisco Hosted SD-WAN Cloud.      Action Owner  Cisco Hosted SD-WAN Cloud - FedRAMP Environment      Customer  These guardrails are in place for Cisco Hosted SD-WAN Cloud - FedRAMP Environment.      Action Owner  Cisco Hosted SD-WAN Cloud - Cisco Managed      Customer and Cisco  These guardrails are in place for Cisco Hosted SD-WAN Cloud - Cisco Managed.\r\nWhile this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.",
        "title": "Workarounds"
      },
      {
        "category": "general",
        "text": "Cisco considers any workarounds and mitigations (if applicable) to be temporary solutions until an upgrade to a fixed software release is available. To fully remediate these vulnerabilities and avoid future exposure as described in this advisory, Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory.\r\n      Fixed Releases\r\nIn the following table, the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability. Customers are advised to upgrade to an appropriate fixed software release [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"] as indicated in this section.\r\n        Cisco Catalyst SD-WAN Release  First Fixed Release          Earlier than 20.91  Migrate to a fixed release.      20.9  20.9.8.2 (Estimated release February 27, 2026)      20.111  20.12.6.1      20.12.5\r\n20.12.6  20.12.5.3\r\n20.12.6.1      20.131  20.15.4.2      20.141  20.15.4.2      20.15  20.15.4.2      20.161  20.18.2.1      20.18  20.18.2.1\r\n1. These releases have reached End of Software Maintenance [\"https://www.cisco.com/c/en/us/products/routers/sd-wan/eos-eol-notice-listing.html\"]. Cisco strongly encourages customers to upgrade to a supported release [\"https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/compatibility-and-server-recommendations.html\"].\r\nThe Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.\r\n\r\nAdditional Information\r\n\r\nTo check component and software release compatibility, see the SD-WAN Controller Component Compatibility Matrix [\"https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/catalyst_sdwan_compatibility_matrix/index.html\"].\r\nFor help planning an upgrade, Cisco Catalyst SD-WAN Upgrade Matrix [\"https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/catalyst-sdwan-upgrade-matrix/index.html\"].",
        "title": "Fixed Software"
      },
      {
        "category": "general",
        "text": "Cisco recommends upgrading the affected systems to a fixed software release.\r\n\r\nGeneral Recommendations for Hardening\r\n\r\nPrevent access from unsecured networks, such as the internet, to the system. If internet access to the system is required, restrict system access to only known, trusted hosts on ports/protocols that are included in the user guides.\r\nProtect Cisco Catalyst SD-WAN Control Components behind a filtering device such as a firewall, and filter traffic to and from the systems while allowing only known, trusted hosts to send traffic to the systems. Using a two-layer firewall can provide flexibility in network planning so that end users do not connect directly to the outer DMZ. See the Deployment sections of the User Guides for Cisco Catalyst SD-WAN software [\"https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#DeploymentPlanning\"].\r\nRegularly monitor web log traffic for any unexpected traffic to and from systems. Logging should be sent to an external server, if possible, and kept for a long enough duration so that post-event investigations can be performed with sufficient log data.\r\nDisable HTTP for the Cisco Catalyst SD-WAN Manager web UI administrator portal.\r\nDisable any network services that are not required, including HTTP and FTP. For more information about specific service functionality, see the Cisco Catalyst SD-WAN user guides.\r\nUpgrade the system to the latest version of Cisco Catalyst SD-WAN Software.\r\nChange the default administrator password to a more secure variant. Restrict access to the administrator account by creating user accounts based on necessary access requirements. In addition, create operator accounts for all administrators.\r\nUse SSL/TLS, obtain an SSL certificate from a certificate authority (CA), or create a self-signed certificate.\r\n\r\nFor more information, review the Cisco Catalyst SD-WAN Hardening Guide [\"https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide\"].",
        "title": "Recommendations"
      },
      {
        "category": "general",
        "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
        "title": "Vulnerability Policy"
      },
      {
        "category": "general",
        "text": "The Cisco PSIRT is aware of limited exploitation of this vulnerability. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.",
        "title": "Exploitation and Public Announcements"
      },
      {
        "category": "general",
        "text": "Cisco would like to thank Australian Signals Directorate\u2019s Australian Cyber Security Centre for reporting this vulnerability.",
        "title": "Source"
      },
      {
        "category": "legal_disclaimer",
        "text": "SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT\r\n\r\nThe Cisco Support and Downloads [\"https://www.cisco.com/c/en/us/support/index.html\"] page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid.\r\n\r\nCustomers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC) [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"]. Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.\r\n\r\nWhen considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories [\"https://www.cisco.com/go/psirt\"] for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"] or their contracted maintenance providers.\r\n    LEGAL DISCLAIMER DETAILS\r\n\r\nCISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nCopies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories [\"https://www.cisco.com/go/psirt\"] page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"] for more information.",
        "title": "Legal Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@cisco.com",
      "issuing_authority": "Cisco PSIRT",
      "name": "Cisco",
      "namespace": "https://wwww.cisco.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk"
      },
      {
        "category": "external",
        "summary": "Cisco Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "Firewall Ports for Cisco Catalyst SD-WAN Deployments",
        "url": "https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/cisco-sd-wan-overlay-network-bringup.html#c_Firewall_Ports_for_Viptela_Deployments_8690.xml"
      },
      {
        "category": "external",
        "summary": "fixed software release",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
      },
      {
        "category": "external",
        "summary": "End of Software Maintenance",
        "url": "https://www.cisco.com/c/en/us/products/routers/sd-wan/eos-eol-notice-listing.html"
      },
      {
        "category": "external",
        "summary": "supported release",
        "url": "https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/compatibility-and-server-recommendations.html"
      },
      {
        "category": "external",
        "summary": "SD-WAN Controller Component Compatibility Matrix",
        "url": "https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/catalyst_sdwan_compatibility_matrix/index.html"
      },
      {
        "category": "external",
        "summary": "Cisco Catalyst SD-WAN Upgrade Matrix",
        "url": "https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/catalyst-sdwan-upgrade-matrix/index.html"
      },
      {
        "category": "external",
        "summary": "Deployment sections of the User Guides for Cisco Catalyst SD-WAN software",
        "url": "https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#DeploymentPlanning"
      },
      {
        "category": "external",
        "summary": "Cisco Catalyst SD-WAN Hardening Guide",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide"
      },
      {
        "category": "external",
        "summary": "Security Vulnerability Policy",
        "url": "http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "Cisco Support and Downloads",
        "url": "https://www.cisco.com/c/en/us/support/index.html"
      },
      {
        "category": "external",
        "summary": "Cisco Technical Assistance Center (TAC)",
        "url": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"
      },
      {
        "category": "external",
        "summary": "the advisories",
        "url": "https://www.cisco.com/go/psirt"
      }
    ],
    "title": "Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability",
    "tracking": {
      "current_release_date": "2026-02-25T16:00:00+00:00",
      "generator": {
        "date": "2026-02-25T16:00:23+00:00",
        "engine": {
          "name": "TVCE"
        }
      },
      "id": "cisco-sa-sdwan-rpa-EHchtZk",
      "initial_release_date": "2026-02-25T16:00:00+00:00",
      "revision_history": [
        {
          "date": "2026-02-25T15:59:40+00:00",
          "number": "1.0.0",
          "summary": "Initial public release."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_family",
            "name": "Cisco Catalyst SD-WAN Manager",
            "product": {
              "name": "Cisco Catalyst SD-WAN Manager ",
              "product_id": "CSAFPID-271450"
            }
          }
        ],
        "category": "vendor",
        "name": "Cisco"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-20127",
      "ids": [
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCws52722"
        }
      ],
      "notes": [
        {
          "category": "other",
          "text": "Complete.",
          "title": "Affected Product Comprehensiveness"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-271450"
        ]
      },
      "release_date": "2026-02-25T16:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Cisco has released software updates that address this vulnerability.",
          "product_ids": [
            "CSAFPID-271450"
          ],
          "url": "https://software.cisco.com"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-271450"
          ]
        }
      ],
      "title": "Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.