CVE-2026-20129 Overview
CVE-2026-20129 is an authentication bypass vulnerability in the API of Cisco Catalyst SD-WAN Manager. The flaw allows an unauthenticated, remote attacker to gain access to an affected system with the privileges of a netadmin user. Exploitation requires only a crafted request sent to the API over the network, with no user interaction and no prior credentials.
A successful attack grants administrative control over the SD-WAN Manager, which orchestrates routing, policy, and configuration across the entire managed SD-WAN fabric. Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected. The weakness is classified under CWE-287: Improper Authentication.
Critical Impact
Unauthenticated remote attackers can execute commands as netadmin, taking full administrative control of the SD-WAN management plane.
Affected Products
- Cisco Catalyst SD-WAN Manager releases prior to 20.18
- Cisco Catalyst SD-WAN Manager 20.12.6
- Cisco Catalyst SD-WAN Manager API endpoints exposed to network-reachable clients
Discovery Timeline
- 2026-02-25 - CVE-2026-20129 published to NVD
- 2026-03-04 - Last updated in NVD database
Technical Details for CVE-2026-20129
Vulnerability Analysis
The vulnerability resides in the API user authentication logic of Cisco Catalyst SD-WAN Manager. Requests submitted to the API are not properly authenticated before being processed. An attacker who reaches the API over the network can submit a crafted request and have it executed in the context of an account holding the netadmin role.
The netadmin role in Catalyst SD-WAN Manager carries the highest administrative privileges. It can manage device templates, push configurations, modify routing policy, manage users, and execute operational commands across the SD-WAN overlay. Compromise of this role effectively compromises the entire managed fabric.
The issue is fully addressed in Cisco Catalyst SD-WAN Manager release 20.18 and later. Earlier supported trains, including the 20.12.x branch up to 20.12.6, remain vulnerable until patched fixed releases are installed.
Root Cause
The root cause is improper authentication enforcement on the API request handling path. The system processes certain API requests without validating that the caller is an authenticated principal bound to a session and role. This logic gap allows a request to be associated with netadmin privileges without any credential check.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to the SD-WAN Manager API endpoint. The Manager processes the request as if it originated from a privileged authenticated session and returns results or executes the requested operation with netadmin privileges.
The vulnerability is described in prose only, as no public proof-of-concept is referenced. See the Cisco Security Advisory for vendor details.
Detection Methods for CVE-2026-20129
Indicators of Compromise
- Unexpected API requests to SD-WAN Manager endpoints from IP addresses outside the documented management network.
- API audit log entries showing netadmin actions without a corresponding interactive login or session establishment event.
- New or modified device templates, policies, or user accounts created outside change-control windows.
- Configuration pushes or operational commands originating from sessions with missing or anomalous authentication metadata.
Detection Strategies
- Correlate Catalyst SD-WAN Manager authentication logs with API access logs to identify privileged actions lacking a matching login event.
- Alert on any API call invoking administrative functions from source IPs that have not previously interacted with the management plane.
- Monitor for sudden bursts of API requests targeting authentication, user management, or template endpoints.
Monitoring Recommendations
- Forward Catalyst SD-WAN Manager API and audit logs to a centralized SIEM or data lake for long-term retention and correlation.
- Track all netadmin role usage and alert on activity outside approved operator accounts and maintenance windows.
- Inspect network flow telemetry for inbound connections to SD-WAN Manager management ports from untrusted segments.
How to Mitigate CVE-2026-20129
Immediate Actions Required
- Upgrade Cisco Catalyst SD-WAN Manager to release 20.18 or later, which is not affected by this vulnerability.
- Restrict network reachability of the SD-WAN Manager API to a dedicated management network and trusted jump hosts only.
- Audit existing netadmin accounts and recent administrative actions for any unauthorized changes prior to patching.
- Rotate credentials and API tokens for all administrative users after upgrading.
Patch Information
Cisco has identified release 20.18 and later as not affected by CVE-2026-20129. Customers running earlier trains, including 20.12.6 and other prior versions, should review the Cisco Security Advisory cisco-sa-sdwan-authbp-qwCX8D4v for the fixed releases applicable to their deployment train and upgrade accordingly.
Workarounds
- No vendor-documented workaround eliminates the vulnerability; upgrading is the only complete remediation.
- Apply strict access control lists so that only authorized management hosts can reach the SD-WAN Manager API.
- Place the SD-WAN Manager behind a VPN or zero-trust access broker that enforces strong authentication before any API connectivity.
- Enable verbose API audit logging and review logs continuously until the upgrade is complete.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
