TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

CIS Advisories

Multiple Vulnerabilities in Cisco Catalyst SD-WAN Products Could Allow for Authentication Bypass

2026-02-26 · Read original ↗

ATT&CK techniques detected

9 predictions
T1190Exploit Public-Facing Application
96%
“25, 2026. cisa and partners have observed malicious cyber actors targeting and compromising cisco sd - wan systems of organizations, globally. these actors have also been observed exploiting a previously undisclosed authentication bypass vulnerability, cve - 2026 - 20127, for ini…”
T1190Exploit Public-Facing Application
95%
“catalyst sd - wan manager 20. 16 ( eol ) - cisco catalyst sd - wan manager 20. 18 versions prior to 20. 18. 2. 1 - cisco catalyst sd - wan 20. 9 versions prior to 20. 9. 8. 2 ( estimated release february 27, 2026 ) - cisco catalyst sd - wan 20. 11 ( eol ) - cisco catalyst sd - wa…”
T1068Exploitation for Privilege Escalation
95%
“##e - 2026 - 20133 ) - a vulnerability in the api of cisco catalyst sd - wan manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. to exploit this vulnerability, the attacker must have valid read - only credentials with api a…”
T1190Exploit Public-Facing Application
87%
“t1190 ) : - a vulnerability in the peering authentication in cisco catalyst sd - wan controller, formerly sd - wan vsmart, and cisco catalyst sd - wan manager, formerly sd - wan vmanage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administr…”
T1068Exploitation for Privilege Escalation
87%
“are sent to the api. an attacker could exploit this vulnerability by sending a crafted request to the api of an affected system. a successful exploit could allow the attacker to execute commands with the privileges of the netadmin role. ( cve - 2026 - 20129 ) - a vulnerability in…”
T1078.001Default Accounts
65%
“account management ) - safeguard 4. 7 : manage default accounts on enterprise assets and software : manage default accounts on enterprise assets and software, such as root, administrator, and other pre - configured vendor accounts. example implementations can include : disabling …”
T1190Exploit Public-Facing Application
64%
“filesystem as a low - privileged user and reading the file that contains the dca password from that affected system. a successful exploit could allow the attacker to access another affected system and gain dca user privileges. ( cve - 2026 - 20128 ) successful exploitation of the…”
T1190Exploit Public-Facing Application
56%
“multiple vulnerabilities in cisco catalyst sd - wan products could allow for authentication bypass multiple vulnerabilities in cisco catalyst sd - wan products could allow for authentication bypass ms - isac advisory number : 2026 - 016date ( s ) issued : 02 / 26 / 2026overview :…”
T1190Exploit Public-Facing Application
33%
“are sent to the api. an attacker could exploit this vulnerability by sending a crafted request to the api of an affected system. a successful exploit could allow the attacker to execute commands with the privileges of the netadmin role. ( cve - 2026 - 20129 ) - a vulnerability in…”

Summary

Multiple vulnerabilities have been discovered in Cisco Catalyst SD-WAN products, the most severe of which could allow for authentication bypass. Cisco Catalyst SD-WAN (formerly Viptela) is a secure, cloud-delivered software-defined WAN architecture that optimizes application performance by intelligently routing traffic over any combination of transport links (MPLS, broadband, LTE). Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.