- Over the past two weeks, Cisco has disclosed half a dozen new vulnerabilities in Catalyst SD-WAN Manager, half of which are now known to be exploited in the wild.
- Community interest has centered on CVE-2026-20127, a zero-day authentication bypass exploited by UAT-8616; initial public proof-of-concept code for CVE-2026-20127 was misattributed and will lead to incomplete detections.
- The VulnCheck research team assesses that CVE-2026-20133 is a higher risk than defenders may realize, and is likely to be exploited — if exploitation isn’t already ongoing under the radar.
In response to customer requests, the VulnCheck Initial Access Intelligence team has been analyzing a slew of different Cisco vulnerabilities over the past week and change. As is typical for emerging threat vulnerabilities, our team has seen a variety of incorrectly attributed or fake public PoCs for several of these flaws; this blog details research team observations across more than half a dozen different CVEs in Cisco Catalyst SD-WAN Manager.
Our team’s ASM queries for Cisco Catalyst SD-WAN show a range of results, depending on the engine: ZoomEye finds roughly 275 internet-exposed instances, Shodan and Censys discover between 450 and 550, and FOFA shows upwards of a thousand.
On February 25, 2026, Cisco’s Talos team published a blog disclosing in-the-wild exploitation of two vulnerabilities in Catalyst SD-WAN Manager: CVE-2026-20127, a CVSS-10 zero-day flaw in Catalyst SD-WAN Controller’s peering authentication that allowed unauthenticated adversaries to bypass authentication and gain initial (administrative) access; and CVE-2022-20775, an older, previously unexploited vulnerability in the SD-WAN CLI that delivered post-auth privilege escalation and remote command execution as root. Threat activity targeting the two vulnerabilities was traced back to 2023 and attributed to UAT-8616, which the Talos team deemed “a highly sophisticated cyber threat actor.” In addition to Cisco’s blog, which contains investigative guidance, the Australian Signals Directorate released a 41-page tradecraft and threat hunting report on the zero-day exploit in conjunction with Five Eyes intelligence partners.
While the majority of the community’s interest has (understandably) focused on CVE-2026-20127, the zero-day initial access vulnerability, Cisco also published an aggregate advisory for five other flaws in Catalyst SD-WAN Manager:
- CVE-2026-20122, an authenticated file overwrite issue in the SD-WAN Manager API that the VulnCheck team exploited to upload a webshell to a vulnerable target system;
- CVE-2026-20126, a post-authentication privilege escalation to root via the REST API;
- CVE-2026-20128, an authenticated file read vulnerability that allows for Data Collection Agent (DCA) user takeover, provided the attacker has valid
vmanagecredentials; - CVE-2026-20129, an authentication bypass that gives remote, unauthenticated adversaries access to the
netadminuser; and - CVE-2026-20133, an unauthenticated information disclosure issue in the SD-WAN Manager API
| CVE | Description | CVSS | Exploited? | EPSS |
|---|---|---|---|---|
| CVE-2026-20127 | Cisco Catalyst SD-WAN Controller Authentication Bypass | 10 (Critical) | Yes, zero-day | 0.02604 |
| CVE-2022-20775 | Cisco SD-WAN CLI Privilege Escalation | 7.8 (High) | Yes | 0.00499 |
| CVE-2026-20122 | Cisco Catalyst SD-WAN Manager API File Overwrite | 5.4 (Medium) | Yes | 0.00042 |
| CVE-2026-20126 | Cisco Catalyst SD-WAN Manager Privilege | 7.8 (High) | No | 0.00042 |
| CVE-2026-20128 | Cisco Catalyst SD-WAN Manager DCA User Takeover | 7.5 (High) | Yes | 0.00019 |
| CVE-2026-20129 | Cisco Catalyst SD-WAN Manager API Improper Authentication | 9.8 (Critical) | No | 0.00148 |
| CVE-2026-20133 | Cisco Catalyst SD-WAN Manager API Information Disclosure | 7.5 (High) | No | 0.00047 |
None of the additional CVEs above was listed as exploited in the wild at time of disclosure, but on March 5, Cisco updated their advisory to reflect that both CVE-2026-20128 and CVE-2026-20122 were seeing active exploitation. Both issues were immediately added to VulnCheck’s KEV; as of March 11, neither is on CISA KEV.
Since public disclosure of CVE-2026-20127, several firms have observed in-the-wild exploitation using a public proof of concept released March 3 — except, as it turns out, that public PoC doesn’t actually exploit CVE-2026-20127 at all, but rather several other completely different vulnerabilities. CVE-2026-20127 exploitation detections based on the March 3 zerozenxlabs PoC, in other words, is incorrectly attributed.
As is typical with emerging threat vulnerabilities, several public proof-of-concept exploits that claimed to target CVE-2026-20127 hit code-sharing platforms not long after the vulnerability was published. Since VulnCheck’s research team validates and curates public exploits, we reviewed and discarded several fake or otherwise non-functional exploits. On March 3, GitHub user zerozenxlabs posted PoC code that purportedly exploited CVE-2026-20127.
Our team tested the exploit against a live SD-WAN target, and determined that while it is a valid exploit, it does not exploit CVE-2026-202127 at all, but rather three of the other vulnerabilities Cisco disclosed in SD-WAN Manager: CVE-2026-20133 and CVE-2026-20128 are used to leak and read the DCA credential file, after which the exploit leverages CVE-2026-20122 in the API to upload a webshell. CVE-2026-20127, by contrast, affects peering authentication between vManagers and vControllers, which is a completely different area of the code base that the zerozenxlabs PoC never touches. Rapid7’s Stephen Fewer published an exploit that does actually target CVE-2026-20127 on March 11, which means in-the-wild exploit attempts against the real vulnerability are likely to pick up.
Cisco still has not indicated any known exploitation of CVE-2026-20133, which is somewhat surprising, considering that the file system access the vulnerability provides allowed our research team to extract the vmanage-admin user’s private key and compromise the Network Configuration Protocol (NETCONF) used to configure and manage SD-WAN devices. The VulnCheck team also used CVE-2026-20133 to leak confd_ipc_secret, allowing any local user to escalate to an unconstrained root shell. Notably, this is the same technique documented by Orange group’s Cyrille CHATRAS, who discovered and reported SD-WAN Manager CVE-2022-20775 back in 2021.
Defenders who are using the zerozenxlabs PoC to inform signatures have a good start on detecting any potential CVE-2026-20133 exploitation, but should note that CVE-2026-20133 can leak any file on the filesystem and is not limited to leaking the DCA user secret specifically.
Early exploits and industry attention on emerging threats can be useful for understanding likely exploitation paths and vulnerability nuances, but they can also lead organizations astray when they rely on untested research artifacts or overly narrow focus on specific attack paths. VulnCheck’s Initial Access Intelligence team applies an exploit-first lens to broad swaths of vulnerabilities, validating and improving upon public research artifacts while developing original capabilities and insights.
VulnCheck’s Initial Access Intelligence team is always on the hunt for new exploits and fresh shells. By delivering machine-consumable, evidence-driven intelligence on new vulnerabilities and how attackers can actually use them, VulnCheck helps organizations prepare earlier, respond decisively, and verify exploitation without relying on scores or delayed consensus. For more research like this, see Tales from the Exploit Mines: Gladinet Triofox CVE-2025-12480 RCE, Metro4Shell: Exploitation of React Native’s Metro Server in the Wild, and Street Smarts: SmarterMail ConnectToHub Unauthenticated RCE (CVE-2026-24423).
Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, and Exploit & Vulnerability Intelligence products.
