I was at a partner dinner last month. Great steak, decent wine, the usual vendor-funded thing where everyone pretends we’re friends and not locked in a commercial relationship. The Cisco rep at the table was talking about the company’s security portfolio. Zero trust. Secure access. The works. Nice slides. Big vision.
Here’s what nobody brought up: at that exact moment, a nation-state threat actor was actively exploiting a perfect 10.0 CVSS vulnerability in Cisco’s own SD-WAN Controller and Manager platforms. Not theoretically. Not in a lab. In production. In the networks that Cisco partners manage for their customers.
Let that sit for a second.
What actually happened
On February 25, Cisco quietly dropped a security advisory for CVE-2026-20127. An authentication bypass. Remote. Unauthenticated. A CVSS score of 10.0 out of 10.0, which is the vulnerability equivalent of “the building is on fire and there are no exits.”
An attacker can send crafted requests to an affected system and log in as a high-privileged user. No credentials needed. No social engineering required. No phishing. Just send the request and you’re in. Once inside, the attacker can modify network configurations across the entire SD-WAN fabric.
CISA responded with Emergency Directive 26-03, ordering all federal agencies to immediately identify and patch their SD-WAN systems. Australia’s cyber security center released a joint threat hunting guide co-authored by intelligence agencies from five countries. Five countries. For one Cisco bug.
Cisco’s own Talos team attributed the attacks to a group they’re calling UAT-8616, described with “high confidence” as a highly sophisticated cyber threat actor. Then, on March 5, Cisco confirmed that two more SD-WAN Manager vulnerabilities (CVE-2026-20122 and CVE-2026-20128) are also being exploited in the wild. Three vulnerabilities. One platform. Active exploitation.
Ryan Dewhurst at watchTowr told The Hacker News the activity spiked on March 4, with attacks spread globally and concentrated in U.S.-based targets. His advice was blunt: “any exposed system should be considered compromised until proven otherwise.”
Where partners come in (and get left out)
Here’s what bothers me. Not the vulnerability itself. Software has bugs. Bad things happen. I get it.
What bothers me is the communication chain. Cisco’s advisory went out on February 25. Five-eyes intelligence agencies scrambled. CISA issued an emergency directive. Talos published a full attribution report. Security researchers were on Twitter sounding alarms by February 26.
Now think about the average Cisco partner. The one running a 50-person shop. Managing SD-WAN for a dozen mid-market customers. When did they find out? Through what channel? Was it their Cisco partner account manager calling them at 7 AM saying “patch everything right now”? Or was it a newsletter they read three days later between sales calls?
I’ve talked to six partners in the last week. None of them heard about it directly from Cisco before they read it somewhere else. Every single one found out from a trade pub, a security blog, or a peer forwarding a link. One of them manages SD-WAN for a regional hospital system.
I’m not saying Cisco didn’t send an email. They probably did. I’m saying the severity of this disconnect between “CISA emergency directive involving nation-state exploitation of your platform” and “here’s a standard security advisory email” is the kind of gap that gets people hurt.
The part nobody wants to talk about
There’s no workaround for CVE-2026-20127. Cisco says so explicitly. The only option is patching. And some of those patch versions were estimated for release on February 27, two days after disclosure, with additional versions still rolling out.
So for a window of at least 48 hours, and likely longer for partners who didn’t immediately see the advisory, affected systems were exposed with no mitigation path. During active nation-state exploitation.
If you’re a partner who bills yourself as a managed security provider and you’re running Cisco SD-WAN for customers, you need to answer a question right now: can you confirm, today, that every one of your customer environments is patched? Not “probably.” Not “we have it on the list.” Confirmed, verified, documented.
Because your customers are going to ask. And if the answer is “I think so,” that’s not going to be good enough when the breach disclosure hits.
What I’d actually do
Patch. Obviously. But beyond that:
Check every SD-WAN device against Cisco’s indicators of compromise from the Talos blog. Not tomorrow. Today. If you’re on a version prior to 20.9, you need to migrate entirely. Limit access to the SD-WAN management interface from unsecured networks. Disable HTTP for the web UI if you can. Change default admin passwords (yes, some partners are still running defaults).
And document everything. The timeline of when you learned about the vulnerability, when you patched, what you checked. If one of your customers ends up in a breach investigation, that documentation is the difference between “our partner responded appropriately” and a lawsuit.
The bigger point
I love this industry. I genuinely do. But this pattern keeps repeating. Vendor builds a platform. Partners build their businesses on it. Something goes wrong. The vendor handles it through security advisories and legal-approved press statements. Partners find out last.
The relationship between a vendor and a managed services partner is a trust contract. When your partner deploys your platform inside their customer’s network, they’re putting their reputation on the line for your code. The least you can do is pick up the phone when the building’s on fire.
If you’re a partner affected by this, I want to hear about it. How did you find out? How fast did you move? Did Cisco reach out directly? Send me your story. You know where to find me.