Check out the analysis by @cryptocat.me for CVE-2026-20127 in Cisco SD WAN. That other PoC posted last week exploits a totally different bug that doesn't match the reported IOCs (some kind of file upload due to path traversal in vManage maybe). We asses with high confidence this is CVE-2026-20127 π₯
Stephen Fewer
π¨ CVE-2026-20127: Cisco SD-WAN authentication bypass. An unauthenticated attacker can inject SSH keys without crypto verification via a flawed state machine. Active exploitation by UAT-8616 since 2023 π
Check out the full @rapid7.com analysis π
attackerkb.com/topics/bP3FM...
## Overview On 25th February 2026, Cisco published an advisory for CVE-2026-20127, a critical authentication bypass vulnerability in the vdaemon service of Cisβ¦
