Cisco confirms 10/10 zero day vulnerability.NurPhoto via Getty ImagesUpdated February 28 with further advice from cybersecurity professionals regarding the 10/10 Cisco zero-day vulnerability and emergency update, including methods used by attackers to exploit this critical security issue.A zero-day security vulnerability is being exploited in ongoing attacks, posing a “significant cyber threat targeting federal networks utilizing certain Cisco systems and software,” according to U.S. Cybersecurity and Infrastructure Security Agency. Here’s what all enterprises need to know about CVE-2026-20127, that impacts users of the Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, that can allow a remote hacker to bypass authentication and obtain admin privileges. ForbesGoogle Chrome’s Security Update Decision—New Browser Danger ConfirmedBy Davey WinderCisco Authentication Bypass Vulnerability Confirmed, Immediate Action RequiredWhen Cisco confirms a zero-day vulnerability with a Common Vulnerability Scoring System severity rating of 10, you need to sit up and pay attention. With attacks already known to be underway, as the CISA issues an emergency directive and warns that immediate action is required, you know this is serious, to say the least.“CISA’s guidance is a clear signal that adversaries are aiming for the control plane, not just individual endpoints,” Nick Tausek, lead security automation architect at Swimlane said. “The vulnerability being discussed allows an attacker to reach sensitive management functions without going through normal access checks.” And what makes this especially critical is, Task continued, “how quickly a compromised management path can translate into broad influence over how sites connect, which routes are preferred, and what policies are enforced across networks.”It only seems like a minute since I reported on a Cisco zero-day exploit, which, at the time, had no fix available. Luckily, this time around, there is one, and I recommend you apply it as quickly as your risk assessments allow. As, indeed, does CISA, more of which in a moment. But first, here is what Cisco itself has to say about CVE-2026-20127: “This vulnerability exists because the peering authentication mechanism in an affected system is not working properly.” Erm, a popular saying involving a fictional pipe-smoking British detective and bodily functions springs to mind, but let’s continue. “A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account.” Yep, it’s that serious. All that is required is for the attacker to send malicious requests to any system at risk. “Using this account, the attacker could access NETCONF,” Cisco has confirmed, “which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”As for actual attack methods, Yagub Rahimov, CEO of Polygraph AI, explained how the critical vulnerability has already been exploited. “After gaining initial access through the authentication bypass, the attacker deliberately downgraded the software to re-expose CVE-2022-20775.” This is a 2022 path traversal flaw that, in isolation, required authenticated access and carried moderate risk. “Chaining it with an authentication bypass makes it into something different: a path to persistent root access across the entire SD-WAN fabric.” And it is that transformation, for want of a better word, that is the sophisticated part, yes a real one this time, of this attack. The threat actors didn’t just find a vulnerability, “they mapped the target's patch history, identified a flaw whose risk profile changes entirely when authentication is removed from the equation, and built a multi-stage campaign around that insight,” Rahimov said. “This isn't random exploitation. It's deliberate infrastructure targeting,” and the blast radius only compounds this. “SD-WAN controllers manage your entire network fabric,” Rahimov warned, “. NETCONF access means an attacker isn't just on a device - they're manipulating routing, segmentation, and configuration across the whole environment. Root-level access through the privilege escalation chain then gives the attacker OS-level control over the device itself, which is why external logging is as urgent as the patch; an attacker operating at that level can tamper with whatever evidence remains on-device.”“CVE-2026-20127 is one of the most serious vulnerabilities that have been discovered recently,” Natalie Page, head of threat intelligence at Talion, said, “and it’s concerning it has gone completely unnoticed by Cisco for so many years, especially given that threat actors have already been actively exploiting the flaw.” Ah yes, I forgot to mention that this vulnerability has, according to Cisco itself, been exploited by attackers since at least 2023.“Organizations must act today,” Page continued. “They should conduct threat hunting to understand if attackers have already exploited the vulnerability within their own environments and they should follow Cisco's hardening guide.” System admins should also audit /var/log/auth.log for any entries containing "Accepted public key for vmanage-admin" that are from unknown IP addresses.ForbesNew AI Data Leaks—More Than 1 Billion IDs And Photos ExposedBy Davey WinderCISA Issues Emergency Directive To Secure Cisco SystemsMeanwhile, as mentioned earlier, CISA has issued an emergency directive in response to the Cisco zero-day. The February 25 directive is aimed at all organizations with Cisco Software-Defined Wide-Area Networking systems, including the Federal Civilian Executive Branch agencies that just respond within mandatory timeframes, as the exploitation of CVE-2026-20127 is confirmed.“CISA and partners have observed malicious cyber actors targeting and compromising Cisco SD-WAN systems of organizations, globally,” the directive stated. These attacks have enabled the hackers to establish long-term persistence in those systems.The highly unusual “Immediate Action Required” statement from CISA is, therefore, understandable in the circumstances and should not be ignored. CISA has recommended that all network defenders do the following:Ensure control components are behind a firewall, isolate virtual private network512 interfaces, and use Internet Protocol blocks for manually provisioned edge IPs.Replace the self-signed certificate for the web user interface.Use pairwise keys.Limit session timeouts to the shortest period possible.Forward logs to a remote syslog server.“The exploitation of a CVSS 10.0 pre-authentication RCE in Cisco Systems SD-WAN should be setting off serious alarms,” Sylvain Cortes, vice president of strategy at Hackuity, told me. “This is not a routine patching issue; it’s a direct route to administrative control of core network infrastructure and, potentially, full network compromise.” So, what are you waiting for? Start taking steps to combat these attacks now. “With confirmed active exploitation,” Cortes concluded, “it’s reasonable to assume both opportunistic scanning and targeted attacks are already in play.”“Patch immediately to available versions.” That’s the sage advice from Yagub Rahimov, whose attack methodology explanation I quoted earlier. “Audit software versions across your entire fabric, not just recent deployments,” Rahimov continued, as “the downgrade technique makes version consistency a security requirement.” And don’t forget, as Rahimov has already said, if external logging isn't already in place, treat it as equal priority to the patch itself.Cisco has confirmed that it has released software updates that address CVE-2026-20127, and there are “no workarounds that address this vulnerability.”