A critical zero-day vulnerability (CVE-2026-20127) in Cisco's SD-WAN Controller has been actively exploited by a sophisticated, unidentified threat actor for at least three years. The flaw allows authentication bypass and, when chained with a second vulnerability (CVE-2022-20775), provides root access. U.S. and international cybersecurity agencies have issued urgent patching directives, noting the actor's highly stealthy operations left minimal evidence and showed no lateral movement beyond the SD-WAN systems. The main topics covered are the severe vulnerability's exploitation, the emergency response from authorities, and the mysterious nature of the threat actor tracked as UAT-8616.
Cisco SD-WAN Zero-Day Under Exploitation for 3 Years
The maximum-severity vulnerability CVE-2026-20127 was exploited by an unknown but sophisticated threat actor who left very little evidence behind.
Cisco revealed today that a critical zero-day vulnerability in its Catalyst SD-WAN Controller has been exploited in the wild for "at least three years."
The vulnerability, tracked as CVE-2026-20127, is an authentication bypass flaw with a maximum CVSS score of 10. An attacker can send crafted requests to vulnerable systems and log into the controllers as an internal, high-privileged, non-root user, according to Cisco's security advisory.
In disclosing the zero-day, Cisco warned of "limited exploitation" in the wild. On the same day, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive that requires federal civilian executive branch (FCEB) agencies to patch CVE-2026-20127 — along with a second, older Catalyst SD-WAN flaw tracked as CVE-2022-20775 — by Friday. CISA typically gives FCEB agencies two weeks to patch vulnerabilities that have been exploited in the wild but will sometimes issue emergency directives with tighter deadlines to patch flaws that pose higher risk to the government.
The situation worsened when Cisco Talos published a blog post Wednesday that revealed CVE-2026-20127 exploitation activity went back "at least three years (2023)." The post linked to a 41-page threat hunting guide published by the Australian Signals Directorate Australian Cyber Security Centre and co-authored by CISA, the US National Security Agency (NSA), and other international partners.
"Investigation conducted by intelligence partners identified that the actor likely escalated to root user via a software version downgrade," the blog post stated. "The actor then reportedly exploited CVE-2022-20775 before restoring back to the original software version, effectively allowing them to gain root access."
Cisco Talos researchers are tracking the exploitation and post-compromise activity as UAT-8616, which they described as "a highly sophisticated cyber threat actor." But it's unclear who UAT-8616 is, and what networks they breached.
The Mystery of UAT-8616
According to the threat hunting guide, the international intelligence agencies determined that at least one threat actor had compromised Cisco SD-WANs, then known as SD-WAN vSmart, since 2023. The source of the compromises was identified as CVE-2026-20127 in late 2025.
The agencies did not specify what types of organizations were breached or how many victims were impacted by UAT-8616's attacks. However, all activity observed by investigators was limited to SD-WAN components, with no evidence of lateral movement outside those systems and no command-and-control (C2) malware.
The threat hunting guide explained that exploitation of CVE-2026-20127 allowed the threat actor to add a rogue peer to the Cisco SD-WAN management and control plane. "The rogue peer is an actor controlled, unauthorised, now trusted peer on the SD-WAN network management system (NMS)," the guide stated.
The threat actor used the built-in update mechanism to downgrade a vSmart controller to an earlier version with known local privilege escalation vulnerabilities, including CVE-2022-20775. After downgrading the system, they exploited CVE-2022-20775 and created local accounts for persistence.
"The actor used what was likely a publicly available proof of concept exploit for this CVE to run commands as the root user," according to the guide.
UAT-8616's identity remains a mystery, given the lack of evidence left behind. However, Scott Caveza, senior staff research engineer at Tenable, noted in a blog post that Cisco flaws have been popular targets for state-sponsored groups.
"Nation state-sponsored actors, including Salt Typhoon and Volt Typhoon, have been known for past exploitation of Cisco devices, so it's imperative that immediate action is taken to remediate these vulnerabilities," Caveza wrote.
Mitigating CVE-2026-20127
Cisco Talos highlighted CVE-2026-20127's exploitation activity as part of a larger pattern of threat actor behavior in recent years. "UAT-8616's attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high-value organizations including Critical Infrastructure (CI) sectors," the blog post said.
Cisco strongly urged customers to update their Catalyst SD-WAN Controllers to a fixed version as soon as possible and to restrict access to the instances from unsecured networks like the public Internet. "Cisco Catalyst SD-WAN Controller systems that are exposed to the Internet and that have ports exposed to the Internet are at risk of exposure to compromise," the networking giant stated.
Additionally, Cisco recommended organizations disable HTTP access for the Catalyst SD-WAN Manager web UI administrator portal and change the default administrator password to a more secure password.
To identify potential compromises, the intelligence agencies urged customers to analyze their controllers for potential rogue peering, version downgrades, and unexpected reboots. The threat hunting guide also advised customers to protect SD-WAN controllers with firewalls, enable centralized logging, and use the "golden star" version of the software. "This ensures that the SD-WAN can implement the most current security features," the guide stated.
Meridiano
