CVE-2026-20129
Published: 25 February 2026
Summary
CVE-2026-20129 is a critical-severity Improper Authentication (CWE-287) vulnerability in Cisco Catalyst Sd-Wan Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification and authentication of organizational users for API access, directly addressing the improper authentication mechanism exploited in this CVE.
Prohibits and monitors actions without identification or authentication, preventing unauthenticated attackers from gaining netadmin access via crafted API requests.
Mandates timely flaw remediation through patching to Cisco Catalyst SD-WAN Manager 20.18 or later, eliminating the authentication bypass vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing API endpoint, directly enabling exploitation of a public-facing application to gain unauthorized elevated (netadmin) access and execute arbitrary commands.
NVD Description
A vulnerability in the API user authentication of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain access to an affected system as a user who has the netadmin role. The vulnerability is due to improper authentication for…
more
requests that are sent to the API. An attacker could exploit this vulnerability by sending a crafted request to the API of an affected system. A successful exploit could allow the attacker to execute commands with the privileges of the netadmin role. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.
Deeper analysisAI
CVE-2026-20129 is a high-severity authentication bypass vulnerability (CWE-287) in the API user authentication mechanism of Cisco Catalyst SD-WAN Manager. Published on 2026-02-25, it stems from improper authentication handling for API requests, enabling an unauthenticated remote attacker to gain unauthorized access to affected systems. The issue affects Cisco Catalyst SD-WAN Manager releases prior to version 20.18.
An unauthenticated, remote attacker can exploit this vulnerability by sending a crafted request to the API endpoint of an affected system. Successful exploitation grants the attacker access equivalent to a user with the netadmin role, allowing them to execute arbitrary commands with those elevated privileges. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical impact with high confidentiality, integrity, and availability consequences.
Cisco's security advisory notes that Catalyst SD-WAN Manager releases 20.18 and later are not affected, recommending upgrade to a patched version for mitigation. Additional details are available in the official advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v.
Details
- CWE(s)