Cisco SD-WAN Zero-Day Under Exploitation for 3 Years - Dark Reading

VULNERABILITIES & THREATS CYBER RISK APPLICATION SECURITY CYBERATTACKS & DATA BREACHES NEWS Cisco SD-WAN Zero-Day Under Exploitation for 3 Years The maximum-severity vulnerability CVE-2026-20127 was exploited by an unknown but sophisticated threat actor who left very little evidence behind. Rob Wright,Senior News Director,Dark Reading February 26, 2026 4 Min Read SOURCE: MAURICE NORBERT VIA ALAMY STOCK PHOTO Cisco revealed today that a critical zero-day vulnerability in its Catalyst SD-WAN Controller has been exploited in the wild for "at least three years." The vulnerability, tracked as CVE-2026-20127, is an authentication bypass flaw with a maximum CVSS score of 10. An attacker can send crafted requests to vulnerable systems and log into the controllers as an internal, high-privileged, non-root user, according to Cisco's security advisory. In disclosing the zero-day, Cisco warned of "limited exploitation" in the wild. On the same day, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive that requires federal civilian executive branch (FCEB) agencies to patch CVE-2026-20127 — along with a second, older Catalyst SD-WAN flaw tracked as CVE-2022-20775 — by Friday. CISA typically gives FCEB agencies two weeks to patch vulnerabilities that have been exploited in the wild but will sometimes issue emergency directives with tighter deadlines to patch flaws that pose higher risk to the government. Related:Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos The situation worsened when Cisco Talos published a blog post Wednesday that revealed CVE-2026-20127 exploitation activity went back "at least three years (2023)." The post linked to a 41-page threat hunting guide published by the Australian Signals Directorate Australian Cyber Security Centre and co-authored by CISA, the US National Security Agency (NSA), and other international partners. "Investigation conducted by intelligence partners identified that the actor likely escalated to root user via a software version downgrade," the blog post stated. "The actor then reportedly exploited CVE-2022-20775 before restoring back to the original software version, effectively allowing them to gain root access." Cisco Talos researchers are tracking the exploitation and post-compromise activity as UAT-8616, which they described as "a highly sophisticated cyber threat actor." But it's unclear who UAT-8616 is, and what networks they breached. The Mystery of UAT-8616 According to the threat hunting guide, the international intelligence agencies determined that at least one threat actor had compromised Cisco SD-WANs, then known as SD-WAN vSmart, since 2023. The source of the compromises was identified as CVE-2026-20127 in late 2025. The agencies did not specify what types of organizations were breached or how many victims were impacted by UAT-8616's attacks. However, all activity observed by investigators was limited to SD-WAN components, with no evidence of lateral movement outside those systems and no command-and-control (C2) malware. Related:Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical The threat hunting guide explained that exploitation of CVE-2026-20127 allowed the threat actor to add a rogue peer to the Cisco SD-WAN management and control plane. "The rogue peer is an actor controlled, unauthorised, now trusted peer on the SD-WAN network management system (NMS)," the guide stated. The threat actor used the built-in update mechanism to downgrade a vSmart controller to an earlier version with known local privilege escalation vulnerabilities, including CVE-2022-20775. After downgrading the system, they exploited CVE-2022-20775 and created local accounts for persistence. "The actor used what was likely a publicly available proof of concept exploit for this CVE to run commands as the root user," according to the guide. UAT-8616's identity remains a mystery, given the lack of evidence left behind. However, Scott Caveza, senior staff research engineer at Tenable, noted in a blog post that Cisco flaws have been popular targets for state-sponsored groups. "Nation state-sponsored actors, including Salt Typhoon and Volt Typhoon, have been known for past exploitation of Cisco devices, so it's imperative that immediate action is taken to remediate these vulnerabilities," Caveza wrote. Related:SolarWinds WHD Attacks Highlight Risks of Exposed Apps Mitigating CVE-2026-20127 Cisco Talos highlighted CVE-2026-20127's exploitation activity as part of a larger pattern of threat actor behavior in recent years. "UAT-8616's attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high-value organizations including Critical Infrastructure (CI) sectors," the blog post said. Cisco strongly urged customers to update their Catalyst SD-WAN Controllers to a fixed version as soon as possible and to restrict access to the instances from unsecured networks like the public Internet. "Cisco Catalyst SD-WAN Controller systems that are exposed to the Internet and that have ports exposed to the Internet are at risk of exposure to compromise," the networking giant stated. Additionally, Cisco recommended organizations disable HTTP access for the Catalyst SD-WAN Manager web UI administrator portal and change the default administrator password to a more secure password. To identify potential compromises, the intelligence agencies urged customers to analyze their controllers for potential rogue peering, version downgrades, and unexpected reboots. The threat hunting guide also advised customers to protect SD-WAN controllers with firewalls, enable centralized logging, and use the "golden star" version of the software. "This ensures that the SD-WAN can implement the most current security features," the guide stated. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS AI Agents Fail in Novel Ways, Put Businesses at Risk by Robert Lemos, Contributing Writer MAY 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE