Critical Cisco SD-WAN 0-Day Vulnerability Exploited Since 2023 to Gain Root Access - CyberSecurityNews

Home Cyber Security News Critical Cisco SD-WAN 0-Day Vulnerability Exploited Since 2023 to Gain Root Access Cisco SD-WAN 0-Day Vulnerability Cisco has disclosed a critical zero-day vulnerability in its Catalyst SD-WAN products that threat actors have exploited since 2023 to bypass authentication and achieve root access. Tracked as CVE-2026-20127, the flaw affects core networking components and prompts urgent patching amid active attacks.sec.cloudapps. CVE-2026-20127 stems from a flaw in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). An unauthenticated remote attacker can send crafted requests to bypass checks, logging in as a high-privileged, non-root internal user account. This access enables NETCONF manipulation, allowing changes to the entire SD-WAN fabric’s network configuration, such as adding rogue peers or altering routing. The vulnerability carries a CVSS v3.1 base score of 10.0 (Critical), with attack vector Network, low complexity, no privileges required, and no user interaction needed. It impacts on-premises deployments and Cisco-hosted SD-WAN Cloud environments, including standard, managed, and FedRAMP setups. Cisco released patches on February 25, 2026, but confirmed no workarounds exist. Exploitation Timeline Active exploitation dates back to at least 2023, as uncovered by Cisco Talos after discovering in-the-wild zero-day use. Talos tracks the campaign as UAT-8616, linking it to post-compromise persistence in high-value targets like critical infrastructure. Attackers added malicious rogue peers to configurations, enabling long-term network access. Post-bypass, actors reportedly downgraded software versions to exploit CVE-2022-20775, a path-traversal flaw, for root escalation, then restored the originals to evade detection. This chain highlights sophisticated tactics targeting network edge devices for footholds. Incidents reported by intelligence partners confirm compromise of internet-exposed management/control planes. Cisco Talos attributes attacks to UAT-8616, assessed as a highly sophisticated actor with high confidence. The group focuses on SD-WAN for persistent access in critical sectors, continuing a trend of edge device targeting. No public IOCs are detailed yet, but hunt guides from partners emphasize checking peer configurations and version histories. Product Affected Versions Fixed Versions SD-WAN Controller (vSmart) 20.3.1 – 20.14.3, 20.15.1 20.14.4, 20.15.2 SD-WAN Manager (vManage) 20.3.1 – 20.14.3, 20.15.1 20.14.4, 20.15.2 Verification involves inventorying exposed ports and auditing NETCONF logs for anomalies. Temporary mitigations include restricting management plane access and monitoring for unauthorized peers.sec.cloudapps. CISA added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities Catalog on February 25, 2026. Emergency Directive 26-03 mandates FCEB agencies to inventory SD-WAN systems, patch within 21 days, and hunt for compromise indicators. Australian Cyber Security Centre and Canadian Cyber Centre issued parallel alerts, noting real-world rogue peer additions. Mitigation Steps Immediately apply Cisco patches from the advisory. Inventory all SD-WAN deployments, focusing on internet-facing controllers. Scan for rogue peers via CLI: show sdwan omp peers detail and review NETCONF sessions. Enable logging for authentication failures and version changes; reset compromised configs if detected. Contact Cisco TAC for support and follow Talos hunt guidance.sec.cloudapps. Organizations in critical infrastructure should prioritize checks, as UAT-8616 seeks enduring persistence. Broader adoption of zero-trust for edge devices counters such trends. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Android Microsoft Unveils New Teams Optimizations for Windows App on iOS & Android Cisco CISA Warns of Cisco Secure Firewall Management Center 0-Day Exploited in Ransomware Attacks Cyber Security News Ransomware Actors Expand EDR Killer Tactics Beyond Vulnerable Drivers Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026