A critical, actively exploited vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN software allows unauthenticated attackers to gain administrative privileges. The flaw, exploited since 2023 by a sophisticated actor tracked as UAT-8616, enables manipulation of the SD-WAN network configuration. Cisco has released patches for affected versions and advises customers to audit their systems for signs of compromise. The main topics covered are the security vulnerability, its active exploitation, the threat actor's post-compromise activities, and the remediation guidance.
A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of malicious activity that dates back to 2023.
The vulnerability, tracked as CVE-2026-20127 (CVSS score: 10.0), allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on an affected system by sending a crafted request.
Successful exploitation of the flaw could allow the adversary to obtain elevated privileges and log in to the system as an internal, high-privileged, non-root user account.
"This vulnerability exists because the peering authentication mechanism in an affected system is not working properly," Cisco said in an advisory, adding the threat actor could leverage the non-root user account to access NETCONF and manipulate network configuration for the SD-WAN fabric.
The shortcoming affects the following deployment types, irrespective of the device configuration -
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud - Cisco Managed
- Cisco Hosted SD-WAN Cloud - FedRAMP Environment
Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The networking equipment major is tracking the exploitation and subsequent post-compromise activity under the moniker UAT-8616, describing the cluster as a "highly sophisticated cyber threat actor."
The vulnerability has been addressed in the following versions of Cisco Catalyst SD-WAN -
- Prior to version 20.91 - Migrate to a fixed release.
- Version 20.9 - 20.9.8.2
- Version 20.111 - 20.12.6.1
- Version 20.12.5 - 20.12.5.3
- Version 20.12.6 - 20.12.6.1
- Version 20.131 - 20.15.4.2
- Version 20.141 - 20.15.4.2
- Version 20.15 - 20.15.4.2
- Version 20.161 - 20.18.2.1
- Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
The company has also recommended customers to audit the "/var/log/auth.log" file for entries related to "Accepted publickey for vmanage-admin" from unknown or unauthorized IP addresses. It's also advised to check the IP addresses in the auth.log log file against the configured System IPs that are listed in the Cisco Catalyst SD-WAN Manager web UI (WebUI > Devices > System IP).
According to information released by the ASD-ACSC, UAT-8616 is said to have compromised Cisco SD-WANs since 2023 via the zero-day exploit, allowing it to gain elevated access.
"The vulnerability allowed a malicious cyber actor to create a rogue peer joined to the network management plane, or control plane, of an organization's SD-WAN," ASD-ACSC said. "The rogue device appears as a new but temporary, actor-controlled SD-WAN component that can conduct trusted actions within the management and control plane."
After successfully compromising a public-facing application, the attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775 (CVSS score: 7.8), a high-severity privilege escalation bug in the CLI of Cisco SD-WAN Software, and then restoring the software back to the version it was originally running.
Some of the subsequent steps initiated by the threat actor are as follows -
- Created local user accounts that mimicked other local user accounts.
- Added a Secure Shell Protocol (SSH) authorized key for root access and modified SD-WAN-related start-up scripts to customize the environment.
- Used Network Configuration Protocol on port 830 (NETCONF) and SSH to connect to/between Cisco SD-WAN appliances within the management plane.
- Took steps to clear evidence of the intrusion by purging logs under "/var/log," command history, and network connection history.
"UAT-8616's attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high-value organizations, including Critical Infrastructure (CI) sectors," Talos said.
The development has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add both CVE-2022-20775 and CVE-2026-20127 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the fixes within the next 24 hours.
To check for version downgrade and unexpected reboot events, CISA recommends analyzing the following logs -
- /var/volatile/log/vdebug
- /var/log/tmplog/vdebug
- /var/volatile/log/sw_script_synccdb.log
CISA has also issued a new emergency directive, 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems, as part of which federal agencies are required to inventory SD-WAN devices, apply updates, and assess potential compromise.
To that end, agencies have been ordered to provide a catalog of all in-scope SD-WAN systems on their networks by February 26, 2026, 11:59 p.m. ET. Additionally, they are required to submit a detailed inventory of all in-scope products and actions taken by March 5, 2026, 11:59 p.m. ET. Lastly, the agencies will have to submit the list of all steps taken to harden their environments by March 26, 2026, 11:59 p.m. ET.
Meridiano
