Executive Summary

On February 25, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities impacting Cisco networking products to its Known Exploited Vulnerabilities (KEV) catalog. The inclusion confirms that both flaws are being actively exploited in the wild by malicious actors. The vulnerabilities, CVE-2026-20127 and CVE-2022-20775, affect Cisco Catalyst SD-WAN products and could allow attackers to bypass authentication or access sensitive files. In accordance with Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities promptly. CISA strongly urges all organizations to prioritize patching to mitigate the risk of compromise.

Vulnerability Details

CVE-2026-20127: Cisco Catalyst SD-WAN Authentication Bypass

• Description: This is a critical authentication bypass vulnerability in the Cisco Catalyst SD-WAN Controller and Manager. Successful exploitation could allow a remote, unauthenticated attacker to bypass authentication mechanisms and gain administrative privileges on the affected device.
• Impact: An attacker with administrative access could take full control of the SD-WAN fabric, allowing them to monitor, redirect, or disrupt network traffic, as well as use the device as a pivot point for further attacks within the network.
• CVSS Score: Not provided, but expected to be Critical (9.0+).

CVE-2022-20775: Cisco Catalyst SD-WAN Path Traversal

• Description: This is a path traversal vulnerability that could allow an attacker to read arbitrary files on the underlying operating system of an affected device. The attacker could use crafted HTTP requests to navigate outside the intended directory.
• Impact: Successful exploitation could lead to the disclosure of sensitive information, such as device configurations, credentials, or other confidential data stored on the system. This information could then be used to facilitate further attacks.
• CVSS Score: Not provided.

Affected Systems

• Cisco Catalyst SD-WAN Controller
• Cisco Catalyst SD-WAN Manager
• Cisco Catalyst SD-WAN

Organizations should consult the official Cisco security advisories for a complete list of affected product versions and software releases.

Exploitation Status

Both CVE-2026-20127 and CVE-2022-20775 have been added to the KEV catalog because CISA has reliable evidence of active exploitation in the wild. This means threat actors are actively targeting unpatched devices, elevating the urgency for remediation. Attackers frequently target vulnerabilities in edge networking devices like SD-WAN controllers as they are often internet-exposed and provide a gateway into an organization's network.

Cyber Observables for Detection

Security teams can hunt for signs of exploitation by looking for specific patterns in web server logs on their Cisco SD-WAN devices:

• For CVE-2022-20775 (Path Traversal): Look for URL requests containing directory traversal sequences like ..%2F or ..\. For example, a request to /cgi-bin/..%2F..%2F..%2Fetc/passwd.
• For CVE-2026-20127 (Auth Bypass): Monitor for access to administrative endpoints or APIs from untrusted or unexpected IP addresses without prior authentication events in the logs.

Detection Methods

1. Vulnerability Scanning: Use a vulnerability scanner with up-to-date plugins to actively scan your network for vulnerable versions of Cisco SD-WAN products.
2. Log Analysis: Ingest and analyze logs from Cisco SD-WAN devices into a SIEM. Create rules to alert on the suspicious URL patterns associated with path traversal and any unauthorized access to administrative interfaces. This aligns with D3FEND's D3-NTA - Network Traffic Analysis.
3. Asset Inventory: Maintain a complete and accurate inventory of all network devices, including their software versions, to quickly identify all systems that require patching.

Remediation Steps

1. Patch Immediately: The primary remediation is to apply the software updates provided by Cisco as soon as possible. Prioritize internet-facing devices. This is a direct application of D3FEND's D3-SU - Software Update.
2. Restrict Access: As a temporary mitigation or compensating control, restrict access to the management interfaces of Cisco SD-WAN devices. Access should only be allowed from a dedicated and trusted management network or specific IP addresses. Block access from the public internet if possible.
3. Hunt for Compromise: After patching, assume breach. Hunt for signs that the vulnerabilities were exploited before the patch was applied. Look for newly created user accounts, unusual configuration changes, or outbound C2 connections.