Cisco SD-WAN vulnerability CVE-2026-20127 has been exploited since 2023 to gain unauthenticated admin access.
A critical Cisco SD-WAN vulnerability, tracked as CVE-2026-20127 (CVSS score of 10.0), has been actively exploited since 2023. The flaw affects Catalyst SD-WAN Controller and Manager and allows remote, unauthenticated attackers to bypass authentication and gain full administrative access by sending a crafted request to vulnerable systems.
“This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system.” reads the advisory. “A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”
The vulnerability impacts all Cisco Catalyst SD-WAN deployments, regardless of configuration. Affected environments include:
- On-Prem deployments
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud – Cisco Managed
- Cisco Hosted SD-WAN Cloud – FedRAMP
Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) for reporting the issue and is tracking related exploitation under the name UAT-8616, describing the actor as highly sophisticated.
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1. Customers running versions prior to 20.9.1 are advised to migrate to a patched release.
The shortcoming affects the following deployment types, irrespective of the device configuration –
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud – Cisco Managed
- Cisco Hosted SD-WAN Cloud – FedRAMP Environment
Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The networking equipment major is tracking the exploitation and subsequent post-compromise activity under the moniker UAT-8616, describing the cluster as a “highly sophisticated cyber threat actor.”
Cisco Talos tracks the exploitation as UAT-8616, a highly sophisticated threat actor active since at least 2023. Investigators found the group likely downgraded software to escalate privileges to root, exploited CVE-2022-20775, and then restored the original version to maintain stealthy root access. The campaign highlights the ongoing targeting of network edge devices to gain persistent access to high-value and critical infrastructure organizations. Customers are urged to apply the security updates immediately.
“Talos clusters this exploitation and subsequent post-compromise activity as “UAT-8616” whom we assess with high confidence is a highly sophisticated cyber threat actor. After the discovery of active exploitation of the 0-day in the wild, we were able to find evidence that the malicious activity went back at least three years (2023).” reads the report published by Cisco Talos. “Investigation conducted by intelligence partners identified that the actor likely escalated to root user via a software version downgrade. The actor then reportedly exploited CVE-2022-20775 before restoring back to the original software version, effectively allowing them to gain root access.”
Cisco warns that internet-exposed Catalyst SD-WAN Controllers are at risk. Customers should review /var/log/auth.log for suspicious “Accepted publickey for vmanage-admin” entries from unknown IPs and verify them against authorized System IPs in the web UI. All control peering events, especially vManage, must be manually validated for unusual timing, IPs, or device roles. If compromise is suspected, open a TAC case and collect admin-tech files. There are no full workarounds; restricting ports 22 and 830 may help temporarily, but upgrading to a fixed release is strongly recommended.
Cisco PSIRT has confirmed limited real-world exploitation of the vulnerability and strongly urges customers to upgrade to a patched software version to address the issue.
“We strongly recommend that you perform the steps outlined in this document. Cisco has also published a hardening guide for Cisco Catalyst SD-WAN deployments located at https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide. It is strongly recommended that any customers who are utilizing the Cisco Catalyst SD-WAN technology follow the guidance provided in this hardening guide.” concludes Cisco Talos. “We also recommend referring to advisories here and here and the Cisco Catalyst SD-WAN threat hunting guide released by our intelligence partners for additional detection guidance.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Cisco Catalyst SD-WAN)
