Cisco SD-WAN Zero-Day Exploited Since 2023 (CVE-2026-20127)
▼ Summary
– A sophisticated threat actor exploited a zero-day authentication bypass vulnerability (CVE-2026-20127) in Cisco’s Catalyst SD-WAN Controller to gain unauthorized access.
– The exploit allowed attackers to log in as a high-privileged user, access NETCONF, and manipulate the network configuration of the SD-WAN fabric.
– Cisco’s Talos team linked the activity to a group named UAT-8616, whose post-compromise actions included gaining root access via a software downgrade and exploiting another vulnerability (CVE-2022-20775).
– Multiple agencies, including the Australian Cyber Security Centre and the US CISA, have issued emergency directives, guidance, and mitigation advice for affected organizations.
– The incident highlights a trend of threat actors targeting network edge devices to establish persistent access, particularly within critical infrastructure sectors.
A highly sophisticated threat actor has been actively exploiting a zero-day vulnerability in Cisco’s Catalyst SD-WAN Controller for an extended period, with evidence of malicious activity dating back to 2023. The critical flaw, tracked as CVE-2026-20127, is an authentication bypass issue within the peering mechanism. This allows an attacker to send specially crafted requests to a vulnerable system, successfully logging in as a high-privileged internal user. From this position, the attacker can access the NETCONF interface, enabling them to manipulate the entire SD-WAN network configuration, add unauthorized rogue peers, and ultimately establish a persistent, long-term foothold within an organization’s infrastructure.
Cisco’s Talos threat intelligence team has linked this exploitation campaign to a group they designate as UAT-8616. Their investigation, supported by intelligence partners, reveals a calculated and stealthy attack pattern. After initial access, the actors reportedly performed a software version downgrade to escalate their privileges to root user level. They then exploited a separate, older vulnerability, CVE-2022-20775, before restoring the system to its original software version. This sophisticated technique effectively masked their activities while securing deep, root-level access. This campaign underscores a dangerous trend where cyber threat actors increasingly target network edge devices to infiltrate high-value organizations, including those in Critical Infrastructure sectors.
In response to this ongoing threat, multiple agencies have issued urgent guidance. The Australian Cyber Security Centre, which initially reported the exploitation, has published detailed mitigation advice and a threat hunting guide. Concurrently, the US Cybersecurity and Infrastructure Security Agency (CISA) has taken decisive action by issuing an emergency directive to all federal civilian agencies. The directive mandates immediate steps: conducting a full inventory of all Cisco SD-WAN systems, collecting virtual snapshots and logs for analysis, applying all necessary patches, hunting for existing evidence of compromise, and implementing the security measures outlined in Cisco’s official Catalyst SD-WAN Hardening Guide.
Cisco strongly advises all customers to review their systems for indicators of compromise related to CVE-2026-20127, paying particular attention to any unauthorized peer connections that may have been established. The company has provided specific investigative guidance to assist with this process. Given the severity of this vulnerability and its confirmed exploitation in the wild, organizations are urged to treat these remediation steps with the highest priority to protect their network environments from this persistent and advanced threat.
(Source: HelpNet Security)
