News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Alerts
  3. Exploitation of Cisco SD-WAN appliances

Exploitation of Cisco SD-WAN appliances

This section contains time sensitive announcements about specific cyber threats, vulnerabilities and scams. Each alert has information you need to be aware of, and what actions to take to mitigate any risk to you or your organisation.

Subscribe to our updates to be notified as soon as we publish an alert.

7:30am, 26 February 2026

TLP Rating: Clear

Exploitation of Cisco SD-WAN appliances

Malicious cyber threat actors are targeting SD-WANs of organisations, globally. These actors exploited a Cisco Catalyst SD-WAN controller authentication bypass vulnerability, CVE-2026-20127.

After exploitation of this vulnerability the malicious actors add a rogue peer and eventually gain root access to establish long-term persistence in SD-WANs.

A number of agencies have released a Cisco SD-WAN Threat Hunt Guide (the “Hunt Guide”), based on investigative data, to support network defenders’ detection of and response to the malicious actors’ threat activity.

What's happening

Systems affected

This vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, regardless of device configuration.

What to look for

How to tell if you're at risk

Those running a Cisco Catalyst SD-WAN Controller and/or Cisco SD-WAN Manager may be at risk of exploitation.

What to do

Mitigation

The authoring organisations strongly urge network defenders to:

  1. collect artefacts, including virtual snapshots and logs off of SD-WAN technology
  2. hunt for evidence of compromise as detailed in the Hunt Guide
  3. review Cisco’s advisories (below) and and fully patch SD-WAN technology, including for CVE-2026-20127
  4. implement Cisco Catalyst SD-WAN Hardening Guide.

Related links

Download the Hunt Guide [PDF, 895 KB]

Cisco Catalyst SD-WAN Vulnerabilities External Link

Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability External Link

CVE-2026-20127 | Tenable® External Link

Cisco Catalyst SD-WAN Hardening Guide External Link

Cisco’s Catalyst SD-WAN hardening guidance should be reviewed in full and includes advice on the following:

  • Network perimeter controls: Ensure control components are behind a firewall, isolate VPN 512 interfaces, and use IP blocks for manually provisioned edge IPs.
  • SD-WAN manager access: Replace the self-signed certificate for the web user interface.
  • Control and data plane security: Use pairwise keying.
  • Session timeout: Limit to the shortest period possible.
  • Logging: Forward to a remote syslog server.

More information

The Hunt Guide is being released by the following authoring and co-sealing agencies:

  • United States National Security Agency (NSA)
  • United States Cybersecurity and Infrastructure Security Agency (CISA)
  • Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
  • Canadian Centre for Cyber Security (Cyber Centre)
  • New Zealand National Cyber Security Centre (NCSC-NZ)
  • United Kingdom National Cyber Security Centre (NCSC-UK)

If you require more information or further support, submit a report on our website: Report an incident

If you need assistance using the tool, call us on 0800 114 115. Calling us is free within New Zealand. We’re open 7am to 7pm, Monday to Friday, and we’re closed on public holidays.