24h | 7d | 30d

CVE-2026-20127

Overview

Cisco
Cisco Catalyst SD-WAN Manager

25 Feb 2026

Published

26 Feb 2026

Updated

CVSS v3.1

CRITICAL (10.0)

EPSS

3.26%

MITRE

KEV

Description

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. 

Statistics

21 Posts
3 Interactions

Last activity: 2 hours ago

Fediverse

Cisco Talos @TalosSecurity

Cisco Talos is tracking active exploitation of CVE-2026-20127 affecting Cisco Catalyst SD-WAN Controllers. Customers are strongly advised to review our latest threat advisory (https://cs.co/9001hs79z) and follow the published guidance (https://cs.co/9001hs7aL) to protect your environment.

1
2
0
3h ago

:mastodon: decio @decio

Si vous administrez une infrastructure réseau utilisant Cisco Catalyst SD-WAN, une vulnérabilité critique actuellement exploitée sur Internet permet à un attaquant distant sans authentification d’obtenir un accès administrateur au système. Une exploitation réussie peut permettre de modifier la configuration réseau, d’espionner les communications ou de maintenir un accès discret à l’infrastructure.

Les investigations effectuées par Cisco Talos montrent que ces attaques sont menées par un acteur sophistiqué et que des compromissions ont été observées depuis au moins 2023, avec dans certains cas une élévation de privilèges jusqu’au contrôle complet du système après modification de la version logicielle.

Selon Cisco, un système SD-WAN peut être particulièrement exposé si :

le contrôleur SD-WAN est accessible depuis Internet
des ports sont ouverts vers l’extérieur
l’accès n’est pas limité aux adresses IP autorisées

Les éléments suivants peuvent indiquer qu’un système SD-WAN a été compromis :

une nouvelle connexion SD-WAN inconnue
un accès administrateur inattendu
des journaux système effacés ou incomplets
des mises à jour ou rétrogradations non planifiées

Cisco recommande de vérifier certains journaux système pour détecter une compromission éventuelle.

Par exemple, dans le fichier /var/log/auth.log, une connexion SSH au compte vmanage-admin depuis une adresse IP inconnue peut être suspecte :

Accepted publickey for vmanage-admin from -adresse IP inconnue-

Dans ce cas, il faut vérifier que l’adresse IP correspond bien à un équipement SD-WAN autorisé (visible dans l’interface SD-WAN Manager → Devices → System IP).

PRODUITS CONCERNÉS

Cette vulnérabilité affecte :

Cisco Catalyst SD-WAN Controller
Cisco Catalyst SD-WAN Manager

Quel que soit le mode de déploiement :

Déploiement sur site (On-Premise)
Cisco Hosted SD-WAN Cloud
Cisco Hosted SD-WAN Cloud – Cisco Managed
Cisco Hosted SD-WAN Cloud – Environnement FedRAMP

ACTIONS RECOMMANDÉES

Application des mises à jour recommandée dès que possible
Surveillance des connexions et changements inhabituels recommandée
Restreindre l’accès réseau aux seuls équipements autorisés
Conserver les journaux sur un serveur externe si possible
Placer les contrôleurs derrière un firewall

🩹
👇
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

analyse Cisco Talos
👇
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Détails Vulnérabilité critique CVE-2026-20127
👇
https://cve.circl.lu/vuln/CVE-2026-20127

Investigation conducted by intelligence partners identified that the actor likely escalated to root user via a software version downgrade

👇
https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf

#CyberVeille #cve_2026_20127 #Cisco #vuln

0
0
0
12h ago

TechNadu @technadu

Five Eyes warning: Cisco SD-WAN actively exploited by UAT-8616.
• CVE-2026-20127
• CVE-2022-20775
• Root access & rogue control-plane peering
• Persistence in edge devices
Immediate patching & threat hunting required.

Full details:
https://www.technadu.com/cisco-sd-wan-is-actively-exploited-by-uat-8616-five-eyes-alliance-agencies-issue-warning/621036/

Are you checking for downgrade events?

#InfoSec #Cisco #SDWAN #CISA #ThreatIntel

0
0
0
7h ago

Bluesky

キタきつね @kitafox.bsky.social

脅威アクターは2023年からCisco SD-WANゼロデイ脆弱性を悪用している（CVE-2026-20127） Threat actor leveraged Cisco SD-WAN zero-day since 2023 (CVE-2026-20127) #HelpNetSecurity (Feb 25) www.helpnetsecurity.com/2026/02/25/c...

0
0
0
21h ago

News Analysis @newsanalysis.com

Critical Cisco SD-WAN bug (CVE-2026-20127) exploited in zero-day attacks since 2023. Allows attackers to compromise controllers & add rogue peers. Update immediately! #cybersecurity #Cybersecurity #News

0
0
0
19h ago

Information Security Briefly @infosecbriefly.bsky.social

A maximum-severity authentication bypass vulnerability (CVE-2026-20127, CVSS 10.0) in Cisco Catalyst SD-WAN Controller and Manager has been actively exploited since 2023, allowing unauthenticated attackers to gain administrative privileges.

0
0
0
14h ago

softfantw.bsky.social @softfantw.bsky.social

Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access thehackernews.com/2026/02/cisc...

0
0
0
14h ago

Ninja Owl @ninjaowl.ai

Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access #cybersecurity #hacking #news #infosec #security #technology #privacy thehackernews.com/20...

0
0
0
14h ago

Red Hot Cyber @redhotcyber.bsky.social

Allarme sicurezza: sfruttamento attivo della vulnerabilità Cisco Catalyst SD-WAN 📌 Link all'articolo : www.redhotcyber.com/post/all... #redhotcyber #news #cybersecurity #hacking #ciscotalos #sdwan #vulnerabilita #cve202620127 #sicurezzainformatica

0
0
0
13h ago

ohhara @shiojiri.com

Cisco SD-WANの重大な脆弱性、2023年からゼロデイとして悪用される：CVE-2026-20127 | Codebook｜Security News https://codebook.machinarecord.com/threatreport/silobreaker-cyber-alert/44133/

0
0
0
13h ago

Information Security Briefly @infosecbriefly.bsky.social

Cisco released emergency patches for a critical zero-day vulnerability (CVE-2026-20127) in Catalyst SD-WAN that allows unauthenticated remote attackers to bypass authentication and gain administrative privileges.

0
0
0
11h ago

CyberVeille @cyberveille-ch.bsky.social

📢 Exploitation active de CVE-2026-20127 dans Cisco Catalyst SD‑WAN par l’acteur UAT‑8616 📝 Contexte: Cisco Talos signale une exploitation activ… https://cyberveille.ch/posts/2026-02-26-exploitation-active-de-cve-2026-20127-dans-cisco-catalyst-sd-wan-par-lacteur-uat-8616/ #CVE_2026_20127 #Cyberveille

0
0
0
8h ago

BaseFortify.eu @basefortify.bsky.social

🛡️ Using BaseFortify? Add Cisco Catalyst SD-WAN Manager or Controller as a component and instantly see if you're vulnerable to CVE-2026-20127. Clear risk insight. Practical mitigation guidance. Stay ahead, not reactive. #BaseFortify #VulnerabilityManagement #SMB #CyberDefense

0
0
0
6h ago

BaseFortify.eu @basefortify.bsky.social

🚨 NCSC warns of large-scale exploitation of critical Cisco SD-WAN flaw CVE-2026-20127 (CVSS 10.0). Actively exploited since 2023. Patch immediately. Full breakdown & remediation steps: basefortify.eu/posts/2026/0... #CyberSecurity #Cisco #CVE #ZeroDay

0
0
0
6h ago

Information Security Briefly @infosecbriefly.bsky.social

A critical zero-day vulnerability in Cisco Catalyst SD-WAN (CVE-2026-20127) has been actively exploited since 2023, allowing attackers to compromise controllers and inject malicious peers into networks.

0
0
0
6h ago

guardian360.bsky.social @guardian360.bsky.social

The vulnerability, tracked as CVE-2026-20127 (CVSS score: 10.0), allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on an affected system by sending a crafted request. thehackernews.com/2026/02/ci...

0
0
0
4h ago

CyberHub @cyberhub.blog

📌 CVE-2026-20127 - A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly... https://www.cyberhub.blog/cves/CVE-2026-20127

0
0
0
3h ago

Modat @modat-io.bsky.social

⚠️ CISA added CVE-2026-20127 to its KEV catalog and issued ED 26-03 after active exploitation of Cisco Catalyst SD-WAN. An auth bypass lets unauthenticated attackers gain admin access and manipulate SD-WAN configs. Patch now. Modat Magnify Query: web.html~"Cisco SD-WAN" OR web.html~"Cisco Catalyst"

0
0
0
2h ago

キタきつね @kitafox.bsky.social

CISAが2つの既知の脆弱性をカタログに追加 CISA Adds Two Known Exploited Vulnerabilities to Catalog #CISA (Feb 25) CVE-2022-20775 Cisco Catalyst SD-WAN パストラバーサル脆弱性 CVE-2026-20127 Cisco Catalyst SD-WAN コントローラおよびマネージャの認証バイパスの脆弱性 www.cisa.gov/news-events/...

0
0
0
22h ago

ohhara @shiojiri.com

CVE-2022-20775 Cisco Catalyst SD-WAN Path Traversal Vulnerability CVE-2026-20127 Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability

0
0
0
18h ago

TechNadu @technadu.com

Five Eyes agencies warn: Cisco SD-WAN actively exploited by UAT-8616. CVE-2026-20127 & CVE-2022-20775 enable root access, rogue peering & long-term persistence. Immediate patching and threat hunting advised. Is your SD-WAN environment hardened? #CyberSecurity #Cisco #SDWAN #ThreatIntel #CISA

0
0
0
7h ago

CVE-2022-20775

Overview

Cisco
Cisco Catalyst SD-WAN

30 Sep 2022

Published

26 Feb 2026

Updated

CVSS v3.1

HIGH (7.8)

EPSS

1.04%

MITRE

KEV

Description

A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges. This vulnerability is due to improper access controls on commands within the application CLI. An attacker could exploit this vulnerability by running a maliciously crafted command on the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-priv-E6e8tEdF

Statistics

6 Posts
1 Interaction

Last activity: 6 hours ago

Fediverse

cR0w @cR0w

@leb Yep. And they finally updated the one in my original post:

In February 2026, the Cisco PSIRT became aware of attempted exploitation of the vulnerability described in CVE-2022-20775.

0
1
0
23h ago

TechNadu @technadu

Full details:
https://www.technadu.com/cisco-sd-wan-is-actively-exploited-by-uat-8616-five-eyes-alliance-agencies-issue-warning/621036/

Are you checking for downgrade events?

#InfoSec #Cisco #SDWAN #CISA #ThreatIntel

0
0
0
7h ago

Bluesky

BaseFortify.eu @basefortify.bsky.social

🔎 The exploit bypasses authentication, grants admin access, downgrades the system, then escalates to root via CVE-2022-20775 — restoring the original version while keeping full control. Internet-exposed SD-WAN management = highest risk. #NetworkSecurity #ThreatIntel #SDWAN #Infosec

0
0
0
6h ago

キタきつね @kitafox.bsky.social

0
0
0
22h ago

ohhara @shiojiri.com

CVE-2022-20775 Cisco Catalyst SD-WAN Path Traversal Vulnerability CVE-2026-20127 Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability

0
0
0
18h ago

TechNadu @technadu.com

0
0
0
7h ago

CVE-2025-59536

Overview

anthropics
claude-code

03 Oct 2025

Published

03 Oct 2025

Updated

CVSS v4.0

HIGH (8.7)

EPSS

0.10%

MITRE

KEV

Description

Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.111.

Statistics

2 Posts
15 Interactions

Last activity: 3 hours ago

Fediverse

Taggart @mttaggart

Anthropic has addressed some of the concerns raised here, but the fact remains that Claude Code will run code in configuration files with minimal visibility to the end user. In this way, it presents similar dangers to VS Code and Cursor.

https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/

9
6
0
3h ago

Bluesky

CyberVeille @cyberveille-ch.bsky.social

📢 Vulnérabilités critiques dans Claude Code : exécution de code et vol de clés API via configurations de dépôt 📝 Selon Che… https://cyberveille.ch/posts/2026-02-26-vulnerabilites-critiques-dans-claude-code-execution-de-code-et-vol-de-cles-api-via-configurations-de-depot/ #CVE_2025_59536 #Cyberveille

0
0
0
10h ago

CVE-2026-2441

Overview

Google
Chrome

13 Feb 2026

Published

26 Feb 2026

Updated

CVSS

Pending

EPSS

0.34%

MITRE

KEV

Description

Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Statistics

2 Posts
10 Interactions

Last activity: 4 hours ago

Fediverse

AkhIL @akhil

Щли недели с публикации данных о CVE-2026-2441, а Яндекс до сих пор не выпустил патч для своего браузера.

2
5
0
4h ago

John Livingston @John_Livingston

Il fallait la trouver celle là !
Utiliser des CSS pour extraire des valeurs (par ex un token de protection contre les CSRF) !

https://www.sitepoint.com/zero-day-css-cve-2026-2441-security-vulnerability/

1
2
0
7h ago

CVE-2025-13942

Overview

Zyxel
EX3510-B0 firmware

24 Feb 2026

Published

26 Feb 2026

Updated

CVSS v3.1

CRITICAL (9.8)

EPSS

0.34%

MITRE

KEV

Description

A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0 could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests.

Statistics

3 Posts

Last activity: 3 hours ago

Fediverse

Michael I Ransier @thecybermind

NCTAG 5.8: The Zyxel Perimeter Crisis
120,000 targets identified. The Cyber Mind Co™ has released Global Watchtower Manifest (GWM) NCTAG 1.1, detailing a critical Unauthenticated RCE (CVE-2025-13942) in Zyxel devices

https://thecybermind.co/2026/02/25/zyxel-upnp-crisis-cve-2025-13942/
#RCE #Zyxel

https://thecybermind.co/2026/02/25/zyxel-upnp-crisis-cve-2025-13942/?utm_source=mastodon&utm_medium=jetpack_social

0
0
0
23h ago

TechNadu @technadu

Zyxel addresses critical CVE-2025-13942 RCE affecting UPnP in 4G/5G CPEs, DSL/Ethernet, Fiber ONTs, and wireless extenders. Exploitation requires WAN + UPnP enabled; Shadowserver tracks ~120k exposed devices.

Additional post-auth command-injection flaws (CVE-2025-13943, CVE-2026-1459) patched. EOL devices (VMG1312, VMG3312/13, SBG3300/3500) remain unpatched; replacement recommended.

Mitigation recommendations:
• Apply firmware updates immediately
• Disable unnecessary UPnP/WAN access
• Monitor network exposure of legacy devices
• Track patched vs. unpatched CPEs/routers in enterprise inventories

Source: https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-flaw-affecting-over-a-dozen-routers/

How are you prioritizing critical RCE patches for network devices? Comment below and follow for in-depth threat reporting.

#NetworkSecurity #IoTSecurity #PatchManagement #RCE #RouterSecurity #CVE #ThreatIntel #Infosec #ZeroTrust #EnterpriseSecurity

0
0
0
3h ago

Bluesky

TechNadu @technadu.com

Zyxel routers under critical threat: CVE-2025-13942 allows unauthenticated RCE via UPnP if WAN is enabled. Additional post-auth command-injection flaws patched (CVE-2025-13943, CVE-2026-1459). Shadowserver tracks 120k+ exposed devices... #CyberSecurity #NetworkSecurity #RouterVulnerabilities

0
0
0
3h ago

CVE-2026-1459

Overview

Zyxel
VMG3625-T50B firmware

24 Feb 2026

Published

26 Feb 2026

Updated

CVSS v3.1

HIGH (7.2)

EPSS

0.06%

MITRE

KEV

Description

A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device.

Statistics

3 Posts

Last activity: 3 hours ago

Fediverse

TechNadu @technadu

Additional post-auth command-injection flaws (CVE-2025-13943, CVE-2026-1459) patched. EOL devices (VMG1312, VMG3312/13, SBG3300/3500) remain unpatched; replacement recommended.

Source: https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-flaw-affecting-over-a-dozen-routers/

How are you prioritizing critical RCE patches for network devices? Comment below and follow for in-depth threat reporting.

#NetworkSecurity #IoTSecurity #PatchManagement #RCE #RouterSecurity #CVE #ThreatIntel #Infosec #ZeroTrust #EnterpriseSecurity

0
0
0
3h ago

Bluesky

CyberHub @cyberhub.blog

📌 CVE-2026-1459 - A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel VMG3625-T50B firmware versions throu... https://www.cyberhub.blog/cves/CVE-2026-1459

0
0
0
17h ago

TechNadu @technadu.com

0
0
0
3h ago

CVE-2025-13943

Overview

Zyxel
EX3301-T0 firmware

24 Feb 2026

Published

26 Feb 2026

Updated

CVSS v3.1

HIGH (8.8)

EPSS

0.18%

MITRE

KEV

Description

A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions through 5.50(ABVY.7)C0 could allow an authenticated attacker to execute operating system (OS) commands on an affected device.

Statistics

3 Posts

Last activity: 3 hours ago

Fediverse

TechNadu @technadu

Additional post-auth command-injection flaws (CVE-2025-13943, CVE-2026-1459) patched. EOL devices (VMG1312, VMG3312/13, SBG3300/3500) remain unpatched; replacement recommended.

Source: https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-flaw-affecting-over-a-dozen-routers/

How are you prioritizing critical RCE patches for network devices? Comment below and follow for in-depth threat reporting.

#NetworkSecurity #IoTSecurity #PatchManagement #RCE #RouterSecurity #CVE #ThreatIntel #Infosec #ZeroTrust #EnterpriseSecurity

0
0
0
3h ago

Bluesky

CyberHub @cyberhub.blog

📌 CVE-2025-13943 - A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions through 5.50(ABVY.7)C... https://www.cyberhub.blog/cves/CVE-2025-13943

0
0
0
23h ago

TechNadu @technadu.com

0
0
0
3h ago

CVE-2025-36632

Overview

Tenable
Agent

16 Jun 2025

Published

16 Jun 2025

Updated

CVSS v3.1

HIGH (7.8)

EPSS

0.02%

MITRE

KEV

Description

In Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could execute code with SYSTEM privilege.

Statistics

1 Post
3 Interactions

Last activity: 1 hour ago

Fediverse

Atredis @atredis

On a recent engagement, we exploited a previously disclosed privilege escalation bug in Tenable's Nessus Agent. No public PoC was available, so we made one; check it out here https://github.com/atredispartners/proof-of-concept/tree/main/cve-2025-36632

3
0
0
1h ago

CVE-2025-40538

Overview

SolarWinds
Serv-U

24 Feb 2026

Published

26 Feb 2026

Updated

CVSS v3.1

CRITICAL (9.1)

EPSS

0.03%

MITRE

KEV

Description

A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.

Statistics

2 Posts

Last activity: 17 hours ago

Fediverse

Raphael @0x3e4

latest SolarWinds CVEs.. all critical lmao.. patch patch patch!

CVE-2025-40538 - Improper Privilege Management
CVE-2025-40539 - Incorrect Type Conversion or Cast
CVE-2025-40540 - Incorrect Type Conversion or Cast
CVE-2025-40541 - Incorrect Type Conversion or Cast & Authorization Bypass Through User-Controlled Key

SolarWinds Serv-U 15.5.3 and prior versions

https://hecate.pw/vulnerabilities?search=vendors%3A%22SolarWinds%22+AND+published%3A%3E%3D2026-02-22&mode=dql

#vulnerability #security #solarwinds

0
0
0
23h ago

Bluesky

セキュリティ対策Lab @securitylab-jp.bsky.social

SolarWinds Serv-Uが4件の重大な脆弱性を修正(CVE-2025-40538 / 40539 / 40540 / 40541) rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews

0
0
0
17h ago

CVE-2019-25444

Overview

Phpscriptsmall
Fiverr Clone Script

20 Feb 2026

Published

20 Feb 2026

Updated

CVSS v4.0

HIGH (8.8)

EPSS

0.07%

MITRE

KEV

Description

Fiverr Clone Script 1.2.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the page parameter. Attackers can supply malicious SQL syntax in the page parameter to extract sensitive database information or modify database contents.

Statistics

1 Post
1 Interaction

Last activity: 12 hours ago

Bluesky

CyberHub @cyberhub.blog

📌 CVE-2019-25444 - Fiverr Clone Script 1.2.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQ... https://www.cyberhub.blog/cves/CVE-2019-25444

0
1
0
12h ago

Showing 1 to 10 of 183 CVEs