CISA Adds Two Actively Exploited Cisco SD-WAN Vulnerabilities to KEV Catalog

CISA Orders Patching for Two Actively Exploited Cisco SD-WAN Flaws

CRITICAL
February 25, 2026
February 26, 2026
4m read
VulnerabilityPatch ManagementThreat Intelligence

Related Entities(initial)

Organizations

CISA Cisco

Products & Tech

Cisco Catalyst SD-WAN

CVE Identifiers

CVE-2026-20127
CRITICAL
CVEDetails.com CVE.org
CVE-2022-20775
HIGH
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1078Defense Evasion

Valid Accounts

T1098.005Persistence

Device Registration

Full Report(when first published)

Executive Summary

On February 25, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities impacting Cisco networking products to its Known Exploited Vulnerabilities (KEV) catalog. The inclusion confirms that both flaws are being actively exploited in the wild by malicious actors. The vulnerabilities, CVE-2026-20127 and CVE-2022-20775, affect Cisco Catalyst SD-WAN products and could allow attackers to bypass authentication or access sensitive files. In accordance with Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities promptly. CISA strongly urges all organizations to prioritize patching to mitigate the risk of compromise.

Vulnerability Details

CVE-2026-20127: Cisco Catalyst SD-WAN Authentication Bypass

  • Description: This is a critical authentication bypass vulnerability in the Cisco Catalyst SD-WAN Controller and Manager. Successful exploitation could allow a remote, unauthenticated attacker to bypass authentication mechanisms and gain administrative privileges on the affected device.
  • Impact: An attacker with administrative access could take full control of the SD-WAN fabric, allowing them to monitor, redirect, or disrupt network traffic, as well as use the device as a pivot point for further attacks within the network.
  • CVSS Score: Not provided, but expected to be Critical (9.0+).

CVE-2022-20775: Cisco Catalyst SD-WAN Path Traversal

  • Description: This is a path traversal vulnerability that could allow an attacker to read arbitrary files on the underlying operating system of an affected device. The attacker could use crafted HTTP requests to navigate outside the intended directory.
  • Impact: Successful exploitation could lead to the disclosure of sensitive information, such as device configurations, credentials, or other confidential data stored on the system. This information could then be used to facilitate further attacks.
  • CVSS Score: Not provided.

Affected Systems

  • Cisco Catalyst SD-WAN Controller
  • Cisco Catalyst SD-WAN Manager
  • Cisco Catalyst SD-WAN

Organizations should consult the official Cisco security advisories for a complete list of affected product versions and software releases.

Exploitation Status

Both CVE-2026-20127 and CVE-2022-20775 have been added to the KEV catalog because CISA has reliable evidence of active exploitation in the wild. This means threat actors are actively targeting unpatched devices, elevating the urgency for remediation. Attackers frequently target vulnerabilities in edge networking devices like SD-WAN controllers as they are often internet-exposed and provide a gateway into an organization's network.

Cyber Observables for Detection

Security teams can hunt for signs of exploitation by looking for specific patterns in web server logs on their Cisco SD-WAN devices:

  • For CVE-2022-20775 (Path Traversal): Look for URL requests containing directory traversal sequences like ..%2F or ..\. For example, a request to /cgi-bin/..%2F..%2F..%2Fetc/passwd.
  • For CVE-2026-20127 (Auth Bypass): Monitor for access to administrative endpoints or APIs from untrusted or unexpected IP addresses without prior authentication events in the logs.

Detection Methods

  1. Vulnerability Scanning: Use a vulnerability scanner with up-to-date plugins to actively scan your network for vulnerable versions of Cisco SD-WAN products.
  2. Log Analysis: Ingest and analyze logs from Cisco SD-WAN devices into a SIEM. Create rules to alert on the suspicious URL patterns associated with path traversal and any unauthorized access to administrative interfaces. This aligns with D3FEND's D3-NTA - Network Traffic Analysis.
  3. Asset Inventory: Maintain a complete and accurate inventory of all network devices, including their software versions, to quickly identify all systems that require patching.

Remediation Steps

  1. Patch Immediately: The primary remediation is to apply the software updates provided by Cisco as soon as possible. Prioritize internet-facing devices. This is a direct application of D3FEND's D3-SU - Software Update.
  2. Restrict Access: As a temporary mitigation or compensating control, restrict access to the management interfaces of Cisco SD-WAN devices. Access should only be allowed from a dedicated and trusted management network or specific IP addresses. Block access from the public internet if possible.
  3. Hunt for Compromise: After patching, assume breach. Hunt for signs that the vulnerabilities were exploited before the patch was applied. Look for newly created user accounts, unusual configuration changes, or outbound C2 connections.

Timeline of Events

1
February 25, 2026
CISA adds CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities (KEV) catalog.
2
February 25, 2026
This article was published

Article Updates

February 26, 2026

Cisco confirms CVE-2026-20127 (CVSS 10.0) actively exploited, chained with CVE-2022-20775 for root access. CISA issues Emergency Directive. Zero-day exploitation since 2023.

Update Sources:
csa.gov.sgActive Exploitation of Critical Vulnerability in Cisco Catalyst SD-WAN
thehackernews.comCisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access
cisecurity.orgMultiple Vulnerabilities in Cisco Catalyst SD-WAN Products Could Allow for Authentication Bypass

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The primary mitigation is to apply the security patches released by Cisco immediately.

Limit Access to Resource Over Network

M1035enterprise

Restrict network access to the management interfaces of SD-WAN devices to only trusted IP addresses.

Audit

M1047enterprise

Regularly audit logs for signs of compromise or exploitation attempts.

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The most critical and effective defense against the active exploitation of CVE-2026-20127 and CVE-2022-20775 is to apply the security patches provided by Cisco. Given that these vulnerabilities are in the CISA KEV catalog, they are under active attack. Organizations must prioritize these updates, especially on internet-facing SD-WAN controllers and managers. A risk-based patching policy should place KEV vulnerabilities at the highest priority level, with a mandate to patch within days, not weeks. Automating the patching process for network infrastructure where possible can ensure timely and consistent application, closing the window of opportunity for attackers.

Network Isolation

D3-NIMaps to MITREM1035
D3FEND

As a vital compensating control, the management interfaces of all Cisco Catalyst SD-WAN devices should be isolated from general network traffic and especially from the public internet. These interfaces should reside on a dedicated, out-of-band management network. Access to this network should be strictly controlled via firewall rules, allowing connections only from a limited set of administrator workstations or a bastion host. This practice of network isolation dramatically reduces the attack surface, preventing an external attacker from ever reaching the vulnerable interface, even if it remains unpatched. This is a fundamental principle of secure network architecture.

Network Traffic Analysis

D3-NTAMaps to MITREM1031
D3FEND

To detect exploitation attempts against CVE-2022-20775, organizations should use network traffic analysis. Ingest web server logs from Cisco SD-WAN devices into a SIEM and create detection rules that search for path traversal sequences in the URL, such as ../, ..\, or their URL-encoded variants (%2E%2E%2F). A Web Application Firewall (WAF) can also be configured with rules to block these patterns in real-time. For the authentication bypass (CVE-2026-20127), monitor for any successful access to administrative pages from IPs that are not on an established allowlist, which could indicate a bypass of normal login procedures.

Timeline of Events

1
February 25, 2026

CISA adds CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities (KEV) catalog.

Sources & References(when first published)

CISA Adds Two Known Exploited Vulnerabilities to Catalog
CISA (cisa.gov) February 25, 2026
AI Security Daily Briefing — February 25, 2026
TECHMANIACS.com (techmaniacs.com) February 25, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CISAKEVCiscoSD-WANVulnerabilityPatch ManagementCVE-2026-20127CVE-2022-20775

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.