Cisco SD-WAN Zero-Day Under Active Exploitation Grants Attackers Root-Level Control - cyberpress.org

Cisco SD-WAN Zero-Day Under Active Exploitation Grants Attackers Root-Level Control By AnuPriya February 26, 2026 Categories: Cyber Security NewsCybersecurityVulnerability Cisco has disclosed a critical zero-day vulnerability in its Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage), actively exploited by sophisticated threat actors since at least 2023 to bypass authentication and seize root-level control. Vulnerability Overview Tracked as CVE-2026-20127 (Advisory ID: cisco-sa-sdwan-rpa-EHchtZk), this flaw stems from improper peering authentication (CWE-287). An unauthenticated remote attacker can send crafted requests to bypass controls, logging in as a high-privileged, non-root internal user. From there, attackers access NETCONF to manipulate SD-WAN fabric configurations, disrupting networks or enabling persistence. Cisco Talos reports exploitation clustered as “UAT-8616,” attributing it with high confidence to a sophisticated cyber threat actor targeting network edge devices. Evidence shows activity dating back to 2023, predating public disclosure on February 25, 2026 (Version 1.0, Final). Attribute Details CVE ID CVE-2026-20127 CVSS 3.1 Base Score 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) Cisco Bug ID CSCws52722 Affected Products Cisco Catalyst SD-WAN Controller (vSmart), Catalyst SD-WAN Manager (vManage) Post-initial bypass via CVE-2026-20127, UAT-8616 escalates privileges through a software version downgrade, exploits CVE-2022-20775 for root access, then restores the original version to evade detection. Intelligence partners, including the ACSC, detailed this in a hunt guide, confirming persistent footholds in critical infrastructure (CI) sectors. This aligns with trends in edge device targeting, where actors establish long-term access for data exfiltration, lateral movement, or command-and-control (C2). Talos notes unauthorized peering connections as a hallmark, often from anomalous IPs or at odd hours. Detection Indicators (IOCs) Monitor Cisco SD-WAN logs for these red flags: Unauthorized control connection peering events, especially vManage types. Peering from unrecognized IP addresses or inconsistent device types. Unexpected software downgrades or CVE-2022-20775 traces. Anomalous NETCONF access or fabric configuration changes. Legitimate peering requires manual validation; superficially normal events may mask compromise. With a perfect 10.0 CVSS score, exploitation grants scope-changing administrative control over SD-WAN overlays, affecting VPNs, routing, and segmentation. High-value targets like CI face supply chain risks, enabling ransomware deployment or espionage. No workarounds exist, but Cisco patches address the root cause. Apply Patches Immediately: Upgrade to fixed releases via Cisco’s advisory. Verify via TAC support. Audit Logs: Review peering events retrospectively to 2023; hunt for UAT-8616 patterns using the ACSC Hunt Guide. Network Segmentation: Isolate controllers; enforce strict peering validation. Monitoring Enhancements: Deploy SIEM rules for anomalous authentications and version changes. Incident Response: If compromised, isolate systems, rotate credentials, and engage forensics. Talos urges SD-WAN users to prioritize these steps, emphasizing proactive hunts. Organizations relying on Cisco SD-WAN must act swiftly amid rising edge device attacks. This zero-day underscores the need for continuous vulnerability management in enterprise networks. Follow us on Google News, LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google Share Facebook Twitter Pinterest WhatsApp AnuPriya Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends. Recent Articles Zero-Day Alert: Claude AI Finds Critical RCE Bugs in Vim and Emacs Cyber Security News March 31, 2026 Notepad++ v8.9.3 Update Fixes cURL Vulnerability and Crash Bugs Cyber Security News March 31, 2026 New “CTRL” RAT Linked to Russian Hackers Enables RDP Hijacking Attacks Cyber Security News March 30, 2026 Vim Vulnerability Allows Arbitrary Command Execution via Malicious Files Cyber Security News March 30, 2026 VoidLink Framework Signals AI-Assisted Malware Is No Longer Experimental AI March 30, 2026 Related Stories Cyber Security News Zero-Day Alert: Claude AI Finds Critical RCE Bugs in Vim and Emacs AnuPriya - March 31, 2026 Cyber Security News Notepad++ v8.9.3 Update Fixes cURL Vulnerability and Crash Bugs AnuPriya - March 31, 2026 Cyber Security News New “CTRL” RAT Linked to Russian Hackers Enables RDP Hijacking Attacks AnuPriya - March 30, 2026 Cyber Security News Vim Vulnerability Allows Arbitrary Command Execution via Malicious Files AnuPriya - March 30, 2026 AI VoidLink Framework Signals AI-Assisted Malware Is No Longer Experimental Varshini - March 30, 2026 Cyber Security News India to Ban Hikvision, TP-Link, and CCTV Product Sales Starting April AnuPriya - March 30, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: