Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 to Gain Administrator Access
A recently disclosed large-scale security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of a malicious activity dating back to 2023.
Vulnerability, tracked as CVE-2026-20127 (CVSS Score: 10.0), allows an unauthorized remote attacker to bypass authentication and gain administrative privileges on an affected system by sending a crafted request to the affected system.
Successful exploitation of the flaw could allow an adversary to gain elevated system privileges such as an internal, highly privileged, non-root user account.
“This vulnerability exists because the optical authentication method on the affected system is not working properly,” Cisco advised, adding that a threat actor could use a non-root user account to access NETCONF and manipulate the network configuration of the SD-WAN fabric.
The deficiency affects the following types of use, regardless of device configuration –
- On-Prem Shipping
- Cisco embraces SD-WAN Cloud
- Cisco hosts SD-WAN Cloud – Cisco Managed
- Cisco Hosts SD-WAN Cloud – FedRAMP Environment
Cisco commended the Australian Signals Directorate’s Australian Cyber Security Center (ASD-ACSC) for reporting the vulnerability. Major network equipment tracks the exploit and subsequent post-compromise activity under the moniker UAT-8616, describing the group as “the most dangerous cyber actor.”
The vulnerability is addressed in the following versions of Cisco Catalyst SD-WAN –
- Before version 20.91 – Move to stable release.
- Version 20.9 – 20.9.8.2 (Limited release on February 27, 2026)
- Version 20.111 – 20.12.6.1
- Version 20.12.5 – 20.12.5.3
- Version 20.12.6 – 20.12.6.1
- Version 20.131 – 20.15.4.2
- Version 20.141 – 20.15.4.2
- Version 20.15 – 20.15.4.2
- Version 20.161 – 20.18.2.1
- Version 20.18 – 20.18.2.1
“Cisco Catalyst SD-WAN Controller systems that are exposed to the Internet and have ports exposed to the Internet are at risk of exposure,” Cisco warns.
The company also recommended customers to check the “/var/log/auth.log” file for entries related to “Accepted public key for vmanage-admin” on unknown or unauthorized IP addresses. It is also advised to check the IP addresses in the auth.log log file against the configured System IPs listed in the Cisco Catalyst SD-WAN Manager web UI (WebUI > Devices > System IP).
According to information released by ASD-ACSC, UAT-8616 is said to have compromised Cisco SD-WANs from 2023 with a zero-day exploit, allowing it to gain maximum access.
“The vulnerability allowed a malicious cyber actor to create a rogue peer integrated into the network management plane, or control plane, of an organization’s SD-WAN,” ASD-ACSC said. “The rogue device appears to be a new but temporary, actor-controlled SD-WAN device that cannot perform trusted actions within the management and control plane.”
After successfully compromising the public-facing operating system, the attackers were found to use the built-in update method to downgrade the software version and pass it to the root user by using CVE-2022-20775 (CVSS score: 7.8), a high privilege escalation bug in the Cisco CLI, the SD version then rolled back the SD software. running.
Some of the next steps taken by the scary actor are:
- Created local user accounts that impersonate other local user accounts.
- Added Secure Shell Protocol (SSH) authentication key for root access and modified SD-WAN related scripts to customize the environment.
- Used Network Configuration Protocol on port 830 (NETCONF) and SSH to connect to/between Cisco SD-WAN appliances within the management plane.
- It took steps to erase login credentials by cleaning logs under “/var/log,” command history, and network connection history.
“UAT-8616 exploit attempts reflect a continuing trend of targeting network edge devices by cyber threat actors seeking to establish sophisticated organizations, including Critical Infrastructure (CI) sectors,” Talos said.
This development prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add both CVE-2022-20775 and CVE-2026-20127 to its catalog known as Known Exploited Vulnerabilities (KEV), authorizing Federal Civilian Executive Branch (FCEB) agencies to apply fixes within the next 224 hours.
To check for downgrades and unexpected restart events, CISA recommends analyzing the following logs –
- /var/volatile/log/vdebug
- /var/log/tmplog/vdebug
- /var/volatile/log/sw_script_synccdb.log
CISA also issued a new emergency directive, 26-03: Mitigate Risk in Cisco SD-WAN Systems, as part of which federal agencies are required to install SD-WAN devices, implement updates, and assess potential compromises.
To that end, agencies are directed to provide a catalog of all in-scope SD-WAN systems in their networks by February 26, 2026, 11:59 pm ET. Additionally, they are required to submit a detailed list of all in-scope products and actions taken by March 5, 2026, 11:59 pm ET. Finally, agencies will have to submit a list of all actions taken to harden their environment by March 26, 2026, 11:59 pm ET.
