Hackers exploited a critical Cisco SD-WAN flaw, prompting a rare joint warning from the US, UK, Australia, Canada, and New Zealand.
The post 5 Nations Alert: Critical Cisco Bug Used in Global Espionage Campaign appeared first on TechRepublic.
New day, new vulnerability in the spotlight. We’re once again seeing how quickly weaponized flaws in widely deployed platforms turn into real operational risk. Coverage of maximum-severity Cisco bugs (CVE-2025-20393, CVE-2026-20045), as well as the Dell RecoverPoint zero-day CVE-2026-22769, shows that attackers are increasingly prioritizing edge-facing infrastructure that quietly controls traffic flows, identity paths, and service availability.
That story continues with CVE-2026-20127, a critical authentication bypass affecting Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). Cisco Talos reports the flaw is being actively exploited and tracks the activity as UAT-8616, assessing with high confidence that a highly sophisticated threat actor has been exploiting it since at least 2023.
GreyNoise’s 2026 State of the Edge Report shows why confirmed exploitation in edge-facing network control systems demands urgent action. In H2 2025, GreyNoise observed 2.97 billion malicious sessions from 3.8 million unique source IPs targeting internet-facing infrastructure, underscoring how quickly exploitation traffic scales once attackers focus on an exposed surface.
Register for SOC Prime’s AI-Native Detection Intelligence Platform, backed by cutting-edge technologies and top cybersecurity expertise to outscale cyber threats and build a resilient cybersecurity posture. Click Explore Detections to access the comprehensive collection of SOC content for vulnerability exploit detection, filtered by the custom “CVE” tag.
Detections from the dedicated rule set can be applied across multiple SIEM, EDR, and Data Lake platforms and are mapped to the latest MITRE ATT&CK® framework v18.1. Security teams can also leverage Uncoder AI to accelerate detection engineering end-to-end by generating rules directly from live threat reports, refining and validating detection logic, auto-visualizing Attack Flows, converting IOCs into custom hunting queries, and instantly translating detection code across diverse language formats.
Cisco Talos describes CVE-2026-20127 as an issue that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected system by sending crafted requests. Cisco’s public advisory ties the root cause to a peering authentication mechanism that is not working properly.
A successful exploit can let an attacker log in to a Catalyst SD-WAN Controller as an internal, high-privileged, non-root account, then use that access to reach NETCONF and manipulate SD-WAN fabric configuration. That kind of control-plane access is exactly what makes SD-WAN incidents so disruptive, as the attackers are in a position to shape how the network behaves.
Multiple government and partner advisories describe a common post-exploitation path. After exploiting CVE-2026-20127, actors have been observed adding a rogue peer and then moving toward root access and long-term persistence within SD-WAN environments. Talos adds that intelligence partners observed escalation involving a software version downgrade, exploitation of CVE-2022-20775, and then restoration back to the original version, a sequence that can complicate detection if teams only validate the “current” running version.
Because exploitation is confirmed and impacts systems used to manage connectivity across sites and clouds, CISA issued Emergency Directive 26-03 for U.S. federal civilian agencies, with an accelerated requirement to complete required actions by 5:00 PM (ET) on February 27, 2026. FedRAMP also relayed the same urgency to cloud providers supporting federal environments.
According to Cisco’s advisory, CVE-2026-20127 affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager regardless of device configuration, across these deployment types:
Cisco also notes there are no workarounds that fully address this vulnerability. The durable fix is upgrading to a patched release, with the exact fixed versions listed in Cisco’s advisory under the Fixed Software section.
Users are urged to start by prioritizing patching as the only complete remediation and verify the fixes are actually in place across every in-scope Catalyst SD-WAN Controller and Manager instance.
Next, to reduce the attack surface while users patch and validate, CISA and the UK NCSC guidance emphasize restricting network exposure, placing SD-WAN control components behind firewalls, and isolating management interfaces from untrusted networks. In parallel, SD-WAN logs should be forwarded to external systems so attackers cannot easily erase local evidence.
Finally, it is better to treat this as both a patching and an investigation event. Cisco recommends auditing /var/log/auth.log for entries like “Accepted publickey for vmanage-admin” coming from unknown or unauthorized IP addresses, then comparing those source IPs against the configured System IPs listed in the Manager UI (WebUI > Devices > System IP). If users suspect compromise, Cisco advises engaging Cisco TAC and collecting the admin-tech output (for example, via request admin-tech) so it can be reviewed.
Because the reported activity can include version downgrade and unexpected reboot behavior as part of the post-compromise chain, public guidance also recommends checking the following logs for downgrade/reboot indicators:
Entrar
/var/volatile/log/vdebug/var/log/tmplog/vdebug/var/volatile/log/sw_script_synccdb.logTo strengthen coverage beyond patching and mitigation steps, rely on the SOC Prime Platform to reach the world’s largest detection intelligence dataset, adopt an end-to-end pipeline that spans detection through simulation while streamlining security operations and speeding up response workflows, reduce engineering overhead, and stay ahead of emerging threats.
What is CVE-2026-20127 and how does it work?
CVE-2026-20127 is a critical authentication bypass in Cisco Catalyst SD-WAN Controller and SD-WAN Manager that lets an unauthenticated attacker send crafted requests and gain administrative access due to a broken peering authentication check.
When was CVE-2026-20127 first discovered?
Cisco disclosed it in late February 2026, while Cisco Talos reports evidence that CVE-2026-20127 has already been exploited in real attacks since at least 2023.
What risks does CVE-2026-20127 pose to systems?
It can hand attackers control-plane access, enabling them to add a rogue peer, change SD-WAN fabric configuration via NETCONF, and move toward persistence and root-level control, including downgrade-and-restore activity tied to chaining with CVE-2022-20775.
Can CVE-2026-20127 still affect me in 2026?
Yes. If you have not patched, or you patched without checking for compromise, you may still be at risk.
How can you protect from CVE-2026-20127?
Upgrade to Cisco’s fixed releases, restrict exposure of SD-WAN control components, and review logs for signs of suspicious access; involve Cisco TAC if anything looks abnormal.
The post CVE-2026-20127: Cisco SD-WAN Zero-Day Exploited Since 2023 appeared first on SOC Prime.
Cisco Talos disclosed that a highly sophisticated threat actor exploited a critical authentication bypass vulnerability in Cisco SD-WAN infrastructure for at least three years before security researchers discovered the zero-day attacks.
The vulnerability, tracked as CVE-2026-20127 with a maximum CVSS severity score of 10.0, allowed unauthenticated remote attackers to gain administrative privileges and add malicious rogue peers to enterprise networks.
Cisco Talos tracks the exploitation activity to UAT-8616, assessing with high confidence that a sophisticated cyber threat actor conducted the campaign targeting network edge devices to establish persistent footholds into high-value organizations including critical infrastructure sectors. Evidence shows malicious activity dates back to at least 2023, with the vulnerability actively exploited as a zero-day throughout that period.
The flaw affects Cisco Catalyst SD-WAN Controller, formerly known as vSmart, and Cisco Catalyst SD-WAN Manager, formerly vManage, in both on-premises and cloud-hosted deployments. The vulnerability stems from broken peering authentication mechanisms that fail to properly validate trust relationships when SD-WAN components establish connections.
Attackers exploited the authentication bypass by sending crafted requests that vulnerable systems accepted as trusted, allowing them to log in as internal, high-privileged, non-root user accounts. This access enabled manipulation of NETCONF configurations, granting control over the entire SD-WAN fabric's network settings including routing policies and device authentication.
The attack chain demonstrated exceptional sophistication. After achieving initial access through CVE-2026-20127, intelligence partners identified that UAT-8616 likely escalated to root privileges by downgrading SD-WAN software to older versions vulnerable to CVE-2022-20775, a path traversal privilege escalation flaw patched in 2022. The attackers then exploited that vulnerability to gain root access before restoring the original software version, effectively covering their tracks while maintaining elevated privileges.
This downgrade-exploit-restore technique evaded detection mechanisms that would flag outdated software or unusual privilege escalations. By reverting to the original version after exploitation, attackers obtained root access while appearing to run current, patched software in routine security audits.
The Australian Signals Directorate's Australian Cyber Security Centre credited with discovering and reporting the vulnerability to Cisco. ACSC published a joint hunt guide warning that malicious actors are targeting Cisco Catalyst SD-WAN deployments globally to add rogue peers, then conduct follow-on actions achieving root access and maintaining persistent control.
CISA issued Emergency Directive 26-03 on Wednesday, requiring Federal Civilian Executive Branch agencies to inventory Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage, apply updates and investigate potential compromise by 5:00 PM ET on Friday. The directive stated exploitation poses an imminent threat to federal networks.
CISA added both CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities catalog. The UK's National Cyber Security Centre issued parallel warnings urging organizations to urgently investigate exposure and hunt for malicious activity using international partner guidance.
Cisco released patches for all affected software versions. The company said upgrading to fixed releases represents the only complete remediation, as no workarounds exist. Versions 20.11, 20.13, 20.14, 20.16 and versions prior to 20.9 have reached end-of-life and will not receive patches, requiring organizations to upgrade to supported releases.
Talos identified high-fidelity indicators of UAT-8616 compromise including creation, usage and deletion of malicious user accounts with absent bash and CLI history, interactive root sessions on production systems with unaccounted SSH keys and known hosts, unauthorized SSH keys for the vmanage-admin account, abnormally small or empty logs, evidence of log clearing or truncation, and presence of CLI history files for users without corresponding bash history.
Organizations using Cisco Catalyst SD-WAN should immediately check for control connection peering events in logs, as this may indicate attempted exploitation. The most critical indicator is any unexpected peering event, particularly from unknown or unverified sources attempting to join the SD-WAN control plane.
This latest campaign follows a pattern of threat actors targeting network infrastructure devices that provide strategic access to enterprise environments. Compromising SD-WAN controllers offers exceptional operational leverage because these systems manage routing, policy enforcement and device authentication across distributed networks.
Talos stated SD-WAN management interfaces must never be exposed to the internet, yet organizations with internet-facing management planes face the greatest compromise risk. The targeting demonstrates continuing trends where advanced threat actors prioritize control-plane technologies over endpoints, recognizing that infrastructure compromise yields broader network access.
The three-year exploitation window before discovery also shows the detection challenges for infrastructure vulnerabilities. Unlike endpoint malware generating behavioral signatures, authentication bypasses in management systems may produce minimal forensic evidence, especially when attackers employ techniques like software version manipulation to evade monitoring.
Organizations should follow Cisco's hardening guidance, implement robust logging with external storage, regularly audit SD-WAN peering configurations, restrict management interface access, and conduct thorough compromise assessments using indicators provided in the joint hunt guide from CISA, NCSC and Australian authorities.
