CVE-2026-20129
Published: 25 February 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-20129 is a high-severity authentication bypass vulnerability (CWE-287) in the API user authentication mechanism of Cisco Catalyst SD-WAN Manager. Published on 2026-02-25, it stems from improper authentication handling for API requests, enabling an unauthenticated remote attacker to gain unauthorized access to affected systems. The issue affects Cisco Catalyst SD-WAN Manager releases prior to version 20.18.
An unauthenticated, remote attacker can exploit this vulnerability by sending a crafted request to the API endpoint of an affected system. Successful exploitation grants the attacker access equivalent to a user with the netadmin role, allowing them to execute arbitrary commands with those elevated privileges. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical impact with high confidentiality, integrity, and availability consequences.
Cisco's security advisory notes that Catalyst SD-WAN Manager releases 20.18 and later are not affected, recommending upgrade to a patched version for mitigation. Additional details are available in the official advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an authentication bypass in a public-facing API endpoint, directly enabling exploitation of a public-facing application to gain unauthorized elevated (netadmin) access and execute arbitrary commands.