A critical zero-day vulnerability affecting Cisco Catalyst SD-WAN platforms has been actively exploited since 2023, enabling attackers to gain unauthorized administrative access to targeted environments. The flaw, identified as CVE-2026-20127, carries a maximum CVSS score of 10.0 and impacts both Cisco Catalyst SD-WAN Controller and SD-WAN Manager solutions.
The vulnerability allows a remote, unauthenticated attacker to bypass authentication by sending specially crafted requests to a vulnerable system. Successful exploitation grants elevated privileges under a high level internal account, though not directly as root.
Technical Root Cause and Impact
According to Cisco’s advisory, the issue stems from a malfunction in the peering authentication mechanism. Because the authentication validation does not function correctly, attackers can introduce malicious requests that effectively override access controls.
Once inside, the adversary can leverage the privileged internal account to access NETCONF services and manipulate network configurations across the SD-WAN fabric. This level of access presents serious risks for enterprise networks, government infrastructure, and critical infrastructure sectors.
The vulnerability affects multiple deployment models regardless of configuration, including:
On-Prem Deployment
Cisco Hosted SD-WAN Cloud
Cisco Hosted SD-WAN Cloud, Cisco Managed
Cisco Hosted SD-WAN Cloud, FedRAMP Environment
Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre for responsibly reporting the issue. The company is tracking the exploitation cluster under the designation UAT-8616, describing it as a highly advanced and capable threat actor.
Exploitation Chain and Privilege Escalation
Authorities confirmed that UAT-8616 has leveraged this zero-day vulnerability since 2023 to gain initial access. After breaching exposed systems, attackers reportedly created a rogue SD-WAN peer within the management or control plane.
This rogue device appeared as a legitimate but temporary SD-WAN component, allowing the attacker to execute trusted actions inside the network management environment.
Following the initial compromise, the threat actor exploited built in update mechanisms to downgrade software versions. This downgrade enabled exploitation of CVE-2022-20775, a previously disclosed privilege escalation flaw in Cisco SD-WAN CLI software. By abusing this vulnerability, attackers escalated privileges to root level and later restored the software to its original version to avoid detection.
Post-Compromise Activities
Investigations revealed several actions taken after gaining control:
Creation of local user accounts designed to mimic legitimate administrators
Insertion of SSH authorized keys for persistent root access
Modification of SD-WAN startup scripts to customize the operating environment
Use of NETCONF over port 830 and SSH to move laterally between appliances
Deletion of logs under /var/log, clearing command history, and erasing network connection traces
This pattern reflects a broader trend of targeting network edge devices to establish long term footholds within high value networks.
Patching and Mitigation
Cisco has released patched versions across multiple software branches and strongly advises immediate upgrades. Systems running versions prior to 20.9.1 must migrate to fixed releases. Updated builds have been issued across supported version lines including 20.9, 20.12, 20.15, and 20.18 branches.
Organizations with internet exposed Cisco Catalyst SD-WAN Controller systems are considered at elevated risk.
Cisco recommends auditing the following log file for suspicious activity:
/var/log/auth.log
Administrators should specifically search for entries containing “Accepted publickey for vmanage-admin” from unknown IP addresses. These IPs should be cross checked against legitimate System IP entries visible in the SD-WAN Manager web interface under Devices and System IP.
CISA Emergency Directive and Federal Response
The Cybersecurity and Infrastructure Security Agency has added both CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch agencies are required to apply mitigations within 24 hours.
CISA has also issued Emergency Directive 26-03, mandating federal agencies to inventory SD-WAN systems, apply security updates, and assess potential compromise.
To identify downgrade or unexpected reboot activity, CISA recommends reviewing:
/var/volatile/log/vdebug
/var/log/tmplog/vdebug
/var/volatile/log/sw_script_synccdb.log
Agencies must submit a full inventory of affected SD-WAN systems by February 26, 2026, followed by a detailed remediation report by March 5, 2026, and a final hardening confirmation by March 26, 2026.
The active exploitation of this zero-day underscores the persistent targeting of network infrastructure devices and reinforces the urgency of proactive patch management, log monitoring, and defense in depth strategies.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
