Canadian Centre for Cyber Security issues alert on Cisco Catalyst SD-WAN CVE-2026-20127 critical authentication flaw

The Canadian Centre for Cyber Security issued alert AL26-004 on February 25, 2026. The alert warns of active exploitation of Cisco Catalyst Software-Defined Wide Area Network devices. It was released in response to a Cisco security advisory issued the same day. Tracked as CVE-2026-20127, the vulnerability is a critical improper authentication flaw in the peering authentication process of Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. It could allow an unauthenticated remote attacker to The vulnerability affects on-prem deployment as well as Cisco Hosted SD-WAN Cloud - Cisco Managed, Cisco Hosted SD-WAN Cloud - FedRAMP Environment, and Cisco Hosted SD-WAN Cloud. The Cyber Centre is aware of incidents involving the vulnerability. Reports indicate that malicious rogue peers were added to the configuration of affected organizations SD-WAN, allowing administrative access, persistence, and long-term access to SD-WAN networks. The Cyber Centre recommends that organizations upgrade affected Cisco Catalyst SD-WAN instances to a fixed version. It also recommends collecting artifacts including virtual snapshots and logs from SD-WAN technology, fully patching SD-WAN technology, hunting for evidence of compromise, and implementing Cisco SD-WAN hardening guidance. The hardening guidance addresses network perimeter controls, SD-WAN Manager access, control and data plane security, session timeout limits, and logging to a remote syslog server. Organizations are advised to review and implement the Cyber Centre's Top 10 IT Security Actions. Emphasis is placed on consolidating monitoring and defending internet gateways, patching operating systems and applications, hardening operating systems and applications, and isolating web-facing applications. Activity matching the alert should be reported via My Cyber Portal or to [email protected].