Cisco Talos Uncovers Prolonged Exploitation of Vulnerability in Cisco SD-WAN
Cisco Talos has revealed that a highly skilled threat actor exploited a severe authentication bypass vulnerability in Cisco’s SD-WAN infrastructure for no less than three years, before researchers finally uncovered these zero-day attacks. This troubling situation highlights the sophisticated tactics employed by cybercriminals and the dire need for organizations to reassess their security measures.
The vulnerability, identified as CVE-2026-20127, carries a maximum severity score of 10.0 on the Common Vulnerability Scoring System (CVSS). It allowed unauthenticated remote attackers to gain administrative privileges, enabling them to append malicious rogue peers to enterprise networks—an alarming breach of security.
Cisco Talos assigned this exploitation activity to a group referred to as UAT-8616. The team has high confidence that a sophisticated cyber threat actor orchestrated this campaign. Their aim was to target network edge devices, establishing a persistent presence in high-value organizations, particularly in sectors crucial to national infrastructure. The investigation shows that malicious activities associated with this vulnerability date back to at least early 2023, highlighting the long-term exploitation of this flaw.
The CVE-2026-20127 vulnerability affects both the Cisco Catalyst SD-WAN Controller (formerly known as vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage), applicable to both on-premises and cloud-hosted deployments. The underlying issue is rooted in flawed peering authentication mechanisms. These mechanisms failed to adequately validate trust relationships during the connection process between SD-WAN components, making systems vulnerable to attack.
Cyber attackers exploited this authentication bypass by sending carefully crafted requests that the susceptible systems accepted as trustworthy. This enabled them to log in as high-privileged, internal non-root user accounts. Once inside, they could manipulate NETCONF configurations, consequently gaining control over the entire SD-WAN fabric’s network settings, including routing policies and device authentication.
The Complexity of the Attack Chain
The attack demonstrated an exceptional level of sophistication, as detailed in the report by Cisco Talos. After gaining initial access via CVE-2026-20127, partners in intelligence identified that UAT-8616 escalated to root privileges by downgrading the SD-WAN software to earlier versions that were vulnerable to another flaw, CVE-2022-20775—a path traversal privilege escalation issue that had been patched in 2022. This tactic allowed the attackers to exploit the older vulnerability for root access before they restored the original software version, effectively covering their tracks while maintaining elevated privileges.
This method of "downgrade-exploit-restore" not only eluded detection mechanisms that would normally flag outdated software but also avoided alerts regarding unusual privilege escalations. By reverting to the original version after exploitation, the attackers successfully retained root access while appearing to operate with current, patched software during routine security audits.
Acknowledgment from Australian Cyber Defenders
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has been credited for discovering and reporting this vulnerability to Cisco. The ACSC recently published a joint ‘hunt guide’ warning organizations that malicious actors are targeting Cisco Catalyst SD-WAN deployments globally. The report indicated that adversaries typically seek to add rogue peers before conducting additional actions to achieve root access and maintain persistent control.
Urgent Response from CISA and Global Authorities
Following the disclosure, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 26-03. This directive mandates that Federal Civilian Executive Branch agencies inventory their Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage, and apply necessary updates. They are also required to investigate potential compromises by a stipulated deadline. CISA has classed exploitation as an imminent threat to federal networks, signaling the urgency of the situation.
In addition to this directive, CISA included both CVE-2026-20127 and CVE-2022-20775 in its catalog of known exploited vulnerabilities. The UK’s National Cyber Security Centre also issued warnings, pressing organizations to urgently inspect for exposure and track malicious activity, collaborating with international partners for effective response.
Recommendations for Mitigation
Cisco has released patches for all affected software versions, noting that upgrading to corrected releases is the only complete solution, as there are no existing workarounds. Organizations currently using versions 20.11, 20.13, 20.14, 20.16, and versions prior to 20.9, which have reached end-of-life, must update to supported releases.
Cisco Talos also identified specific indicators of compromise (IoCs) associated with UAT-8616, including the unusual creation, usage, and deletion of malicious user accounts devoid of bash and CLI history. There are also indicators such as interactive root sessions on production systems with unaccounted SSH keys.
Organizations utilizing Cisco Catalyst SD-WAN are urged to immediately check their logs for anything unusual, particularly unexpected peering events from unverified sources, as these may signify attempted exploitation.
The alarming conclusion drawn from this incident is that compromising SD-WAN controllers grants unprecedented operational leverage. These systems play a vital role in managing routing, policy enforcement, and device authentication across sprawling networks. Notably, Cisco Talos emphasizes that management interfaces should never be exposed to the internet.
The long exploitation window before detection underlines the challenges organizations face in identifying vulnerabilities in their infrastructure. Attackers adept in using techniques like software version manipulation exhibit a deep understanding of how to evade monitoring systems.
Organizations are strongly advised to adopt Cisco’s hardening guidance, implement rigorous logging mechanisms, and conduct comprehensive audits of their SD-WAN configurations. Moreover, using the indicators provided in the allied hunt guide from CISA, the UK’s NCSC, and Australian authorities can be crucial steps towards mitigating the risks associated with this vulnerability.