Your SD-WAN May Already Be Targeted: A Critical Cisco Vulnerability Explained

I do not usually write about Cisco. It is not my typical focus, and there is no particular hobby-horse here.

But today is one of those days. When a core enterprise networking platform is being actively exploited in the wild, it stops being “just another vendor advisory” and becomes a matter of operational reality. If your infrastructure depends on SD-WAN, this is not background noise — it is a live risk.

So yes, today we are talking about Cisco. And not in abstract terms, but in practical ones.

Brief Overview (straight to the point)

This is an official warning from CERT-FR regarding a critically exploitable vulnerability in Cisco Catalyst SD-WAN, a networking platform widely used to establish secure connectivity between branches and remote sites over the internet.

The vulnerability is actively being exploited in the wild. This is not a theoretical issue — both Cisco and the French CERT confirm real-world attacks.

What the advisory states

Affected Product

Cisco Catalyst SD-WAN, including the following versions:

  • 20.12.5.x prior to 20.12.5.3

  • 20.12.6.x prior to 20.12.6.1

  • 20.15.x prior to 20.15.4.2

  • 20.18.x prior to 20.18.2.1

  • Older releases prior to 20.9.8.2

Some versions are end-of-life and no longer supported, meaning no patches will be issued for them. CERT recommends upgrading to a supported branch.

Nature of the Threat

The vulnerability allows an attacker to bypass built-in security mechanisms. In practical terms, this may allow:

  • Circumventing enforced security policies

  • Gaining unauthorised access

  • Manipulating SD-WAN behaviour beyond intended controls

Both Cisco and CERT confirm active exploitation, meaning organisations running vulnerable versions are at real operational risk.

This is not a minor configuration flaw — it directly affects network security controls.

Recommended Actions

  1. Update immediately to the fixed versions released by Cisco.

  2. Migrate away from unsupported versions, as they will remain permanently vulnerable.

  3. Review logs and system activity for indicators of compromise, including:

    • Suspicious peer connection events

    • Unknown SSH keys associated with administrative accounts

    • Unexpected software version changes or rollbacks

    • Missing or tampered log entries

  4. Cross-check Cisco’s official security advisory and hunt guidance for detection details.

Conclusion

This is a confirmed, actively exploited vulnerability affecting a core enterprise networking platform. Organisations operating Cisco Catalyst SD-WAN should treat this as a priority security matter.

Failure to update and investigate may lead to full infrastructure compromise.

If required, I can also provide a deeper technical explanation of the associated CVE (CVE-2026-20127) and describe how the vulnerability functions within SD-WAN architecture.