Cisco Systems, Inc. is addressing a high-severity zero-day vulnerability in its Catalyst SD-WAN Manager and Controller that allows attackers to gain root access [1, 2, 3].
The flaw is critical because it enables an authentication bypass, allowing unauthorized users to obtain full administrative control over network controllers without a password [4, 5].
Intelligence agencies from the Five Eyes — comprising the U.S., UK, Canada, Australia, and New Zealand — issued an emergency directive ordering the immediate patching of affected systems [5, 6]. This coordinated response follows reports that the vulnerability is being actively exploited in the wild [1, 2, 3].
Cisco has assigned a severity score of 10.0 [4] to one of the authentication-bypass flaws, representing a perfect score on the severity scale. This marks the sixth SD-WAN zero-day disclosed by the company so far in 2026 [4].
There are conflicting reports regarding the specific CVE identifiers associated with the current attacks. BleepingComputer said the exploited zero-day is CVE-2026-20245 [1], while other reports cite CVE-2026-20182 [4] or CVE-2026-20127 [7]. Some data suggests active exploitation of related flaws has been observed since 2023 [7].
The vulnerabilities impact Cisco SD-WAN devices globally [5, 6]. Because the flaws allow for the bypass of security protocols, attackers can move laterally through a network once they gain root access to the controller [1, 4].
“Cisco has assigned a severity score of 10.0 to one of the authentication-bypass flaws.”
The frequency of zero-day vulnerabilities in Cisco's SD-WAN software, totaling six in 2026, suggests a systemic security challenge within the product's architecture. The involvement of the Five Eyes alliance indicates that these flaws are not merely theoretical but are being leveraged by sophisticated actors to target critical infrastructure and government networks. For organizations, this necessitates a shift from periodic updates to a more aggressive, immediate patching posture to prevent total network compromise.
'%2F%3E%0A%20%20%20%20%3Crect%20width%3D'1600'%20height%3D'900'%20fill%3D'url(%23v)'%2F%3E%0A%20%20%20%20%3Cg%20opacity%3D'0.08'%20fill%3D'%23ffffff'%3E%0A%20%20%20%20%20%20%3Ccircle%20cx%3D'1420'%20cy%3D'180'%20r%3D'220'%2F%3E%0A%20%20%20%20%20%20%3Ccircle%20cx%3D'1500'%20cy%3D'760'%20r%3D'120'%2F%3E%0A%20%20%20%20%3C%2Fg%3E%0A%20%20%20%20%3Cline%20x1%3D'80'%20y1%3D'172'%20x2%3D'220'%20y2%3D'172'%20stroke%3D'%23ffffff'%20stroke-width%3D'3'%20stroke-opacity%3D'0.6'%2F%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'140'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'700'%20font-size%3D'28'%20fill%3D'%23ffffff'%20letter-spacing%3D'6'%3EHANNA%20%C2%B7%20NEWS%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'230'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'600'%20font-size%3D'40'%20fill%3D'%23ffffffb3'%20letter-spacing%3D'4'%3ETECH%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'694'%20font-family%3D'Playfair%20Display%2C%20Georgia%2C%20serif'%20font-weight%3D'800'%20font-size%3D'110'%20fill%3D'%23ffffff'%20letter-spacing%3D'-1'%3ETECNO%20Launches%20POVA%208%205G%3C%2Ftext%3E%3Ctext%20x%3D'80'%20y%3D'820'%20font-family%3D'Playfair%20Display%2C%20Georgia%2C%20serif'%20font-weight%3D'800'%20font-size%3D'110'%20fill%3D'%23ffffff'%20letter-spacing%3D'-1'%3EWith%208%2C000mAh%20Battery%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'870'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'500'%20font-size%3D'22'%20fill%3D'%23ffffff66'%20letter-spacing%3D'2'%3Enews.hanna-ai.com%3C%2Ftext%3E%0A%20%20%3C%2Fsvg%3E)
