Five Eyes Issue Emergency Alert Over Cisco SD-WAN Critical Vulnerability Rated CVSS 10.0
CISA, the UK's NCSC, and intelligence agencies from Australia, Canada, and New Zealand issue a coordinated emergency alert for CVE-2026-20127 — a maximum-severity authentication bypass in Cisco Catalyst SD-WAN affecting government and enterprise networks worldwide.
Intelligence agencies from all five Five Eyes nations — the United States (CISA), United Kingdom (NCSC), Australia (ACSC), Canada (CCCS), and New Zealand (NCSC-NZ) — issued a coordinated emergency alert on February 25-26 for CVE-2026-20127, a maximum-severity authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager carrying the highest possible CVSS score of 10.0.
Vulnerability Details
CVE-2026-20127 is an improper authentication vulnerability that allows an unauthenticated remote attacker to bypass the authentication mechanism entirely and gain administrative-level privileges on affected Cisco Catalyst SD-WAN Controller and SD-WAN Manager appliances. The flaw requires no credentials, no user interaction, and can be exploited remotely over the network — meeting all the criteria for the maximum CVSS score. Once administrative access is obtained, attackers have been observed downgrading the software to versions vulnerable to CVE-2022-20775, a known privilege escalation flaw that provides root-level access to the underlying operating system.
Active Exploitation
The Five Eyes alert confirms that the vulnerability is under active exploitation, with evidence suggesting that state-sponsored actors have been using it to compromise government and critical infrastructure networks. The coordinated nature of the alert — involving all five intelligence agencies simultaneously — indicates that the exploitation is considered a significant national security threat, not merely a routine vulnerability disclosure.
Emergency Response Requirements
CISA issued Emergency Directive 26-03, requiring all U.S. federal agencies to inventory affected systems, collect forensic artifacts, and apply patches by 17:00 ET on February 27 — a 48-hour remediation window that reflects the severity of the threat. For non-federal organizations, CISA strongly recommends immediate patching and forensic review of any SD-WAN infrastructure that may have been exposed. Organizations that cannot patch immediately should restrict management interface access to trusted networks only and monitor for indicators of compromise published in the advisory.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.