With 52% of U.S. employers adopting hybrid models, traditional perimeters are failing. Discover how to build a robust hybrid work security architecture using Secure SD-WAN, SASE, Zero Trust Network Access (ZTNA), and automated threat detection (SIEM/SOAR) to protect a dispersed workforce in 2026.
The post Security Architecture for Hybrid Work: Enterprise Guide appeared first on Security Boulevard.
Cisco warned customers that threat actors are actively exploiting two recently patched Catalyst SD-WAN vulnerabilities, CVE-2026-20128 and CVE-2026-20122. The networking giant urged organizations to apply the latest security updates to reduce the risk of compromise.
“Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files.” reads the advisory published by CISCO.
Cisco released security patches on February 25 for five Catalyst SD-WAN vulnerabilities, including fixes for critical and high-severity flaws that could allow attackers to access systems and gain root privileges. On March 5, the company updated its advisory to warn that two of them, CVE-2026-20128 and CVE-2026-20122, are already being exploited in the wild.
The flaw CVE-2026-20128 exposes the Data Collection Agent feature, letting a local authenticated attacker gain DCA privileges, while the vulnerability CVE-2026-20122 allows a remote authenticated attacker to overwrite arbitrary files through the SD-WAN Manager API and escalate privileges.
“In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only.” reads the update. “The vulnerabilities that are described in the other CVEs in this advisory are not known to have been compromised. Cisco strongly recommends that customers upgrade to a fixed software release to remediate these vulnerabilities.”
The company did not share details about the attacks exploiting this vulnerability.
At the end of February, the company warned of another critical SD-WAN vulnerability, tracked as CVE-2026-20127 (CVSS score of 10.0), that has been actively exploited since 2023. The flaw affects Catalyst SD-WAN Controller and Manager and allows remote, unauthenticated attackers to bypass authentication and gain full administrative access by sending a crafted request to vulnerable systems.
“This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system.” reads the advisory. “A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”
The vulnerability impacts all Cisco Catalyst SD-WAN deployments, regardless of configuration. Affected environments include:
Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) for reporting the issue and is tracking related exploitation under the name UAT-8616, describing the actor as highly sophisticated.
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1. Customers running versions prior to 20.9.1 are advised to migrate to a patched release.
Cisco Talos tracks the exploitation as UAT-8616, a highly sophisticated threat actor active since at least 2023. Investigators found the group likely downgraded software to escalate privileges to root, exploited CVE-2022-20775, and then restored the original version to maintain stealthy root access. The campaign highlights the ongoing targeting of network edge devices to gain persistent access to high-value and critical infrastructure organizations. Customers are urged to apply the security updates immediately.
“Talos clusters this exploitation and subsequent post-compromise activity as “UAT-8616” whom we assess with high confidence is a highly sophisticated cyber threat actor. After the discovery of active exploitation of the 0-day in the wild, we were able to find evidence that the malicious activity went back at least three years (2023).” reads the report published by Cisco Talos. “Investigation conducted by intelligence partners identified that the actor likely escalated to root user via a software version downgrade. The actor then reportedly exploited CVE-2022-20775 before restoring back to the original software version, effectively allowing them to gain root access.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Cisco)
Hackers exploited a critical Cisco SD-WAN flaw, prompting a rare joint warning from the US, UK, Australia, Canada, and New Zealand.
The post 5 Nations Alert: Critical Cisco Bug Used in Global Espionage Campaign appeared first on TechRepublic.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two Cisco SD-WAN flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
This week, Cisco warned of a critical Cisco SD-WAN vulnerability, tracked as CVE-2026-20127 (CVSS score of 10.0), which has been actively exploited since 2023. The flaw affects Catalyst SD-WAN Controller and Manager and allows remote, unauthenticated attackers to bypass authentication and gain full administrative access by sending a crafted request to vulnerable systems.
“This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system.” reads the advisory. “A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”
The vulnerability impacts all Cisco Catalyst SD-WAN deployments, regardless of configuration. Affected environments include:
Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) for reporting the issue and is tracking related exploitation under the name UAT-8616, describing the actor as highly sophisticated.
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1. Customers running versions prior to 20.9.1 are advised to migrate to a patched release.
Cisco Talos tracks the exploitation as UAT-8616, a highly sophisticated threat actor active since at least 2023. Investigators found the group likely downgraded software to escalate privileges to root, exploited CVE-2022-20775, and then restored the original version to maintain stealthy root access. The campaign highlights the ongoing targeting of network edge devices to gain persistent access to high-value and critical infrastructure organizations. Customers are urged to apply the security updates immediately.
“Talos clusters this exploitation and subsequent post-compromise activity as “UAT-8616” whom we assess with high confidence is a highly sophisticated cyber threat actor. After the discovery of active exploitation of the 0-day in the wild, we were able to find evidence that the malicious activity went back at least three years (2023).” reads the report published by Cisco Talos. “Investigation conducted by intelligence partners identified that the actor likely escalated to root user via a software version downgrade. The actor then reportedly exploited CVE-2022-20775 before restoring back to the original software version, effectively allowing them to gain root access.”
Cisco warns that internet-exposed Catalyst SD-WAN Controllers are at risk. Customers should review /var/log/auth.log for suspicious “Accepted publickey for vmanage-admin” entries from unknown IPs and verify them against authorized System IPs in the web UI. All control peering events, especially vManage, must be manually validated for unusual timing, IPs, or device roles. If compromise is suspected, open a TAC case and collect admin-tech files. There are no full workarounds; restricting ports 22 and 830 may help temporarily, but upgrading to a fixed release is strongly recommended.
Cisco PSIRT has confirmed limited real-world exploitation of the vulnerability and strongly urges customers to upgrade to a patched software version to address the issue.
CVE-2022-20775 is a privilege escalation vulnerability in the CLI of Cisco SD-WAN Software. It arises from improper access controls on certain CLI commands, allowing an authenticated local attacker to execute maliciously crafted commands. Successful exploitation lets the attacker run arbitrary commands with root privileges, potentially compromising the entire system. Cisco has released software updates to fix the issue, and no workarounds are available. More details can be found here.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA urges federal agencies to fix the Dell RecoverPoint flaw by the end of this week, on February 21, while ordering the agencies to address the GitLab issue by February 27, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
A critical Cisco SD-WAN vulnerability, tracked as CVE-2026-20127 (CVSS score of 10.0), has been actively exploited since 2023. The flaw affects Catalyst SD-WAN Controller and Manager and allows remote, unauthenticated attackers to bypass authentication and gain full administrative access by sending a crafted request to vulnerable systems.
“This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system.” reads the advisory. “A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”
The vulnerability impacts all Cisco Catalyst SD-WAN deployments, regardless of configuration. Affected environments include:
Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) for reporting the issue and is tracking related exploitation under the name UAT-8616, describing the actor as highly sophisticated.
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1. Customers running versions prior to 20.9.1 are advised to migrate to a patched release.
Cisco Talos tracks the exploitation as UAT-8616, a highly sophisticated threat actor active since at least 2023. Investigators found the group likely downgraded software to escalate privileges to root, exploited CVE-2022-20775, and then restored the original version to maintain stealthy root access. The campaign highlights the ongoing targeting of network edge devices to gain persistent access to high-value and critical infrastructure organizations. Customers are urged to apply the security updates immediately.
“Talos clusters this exploitation and subsequent post-compromise activity as “UAT-8616” whom we assess with high confidence is a highly sophisticated cyber threat actor. After the discovery of active exploitation of the 0-day in the wild, we were able to find evidence that the malicious activity went back at least three years (2023).” reads the report published by Cisco Talos. “Investigation conducted by intelligence partners identified that the actor likely escalated to root user via a software version downgrade. The actor then reportedly exploited CVE-2022-20775 before restoring back to the original software version, effectively allowing them to gain root access.”
Cisco warns that internet-exposed Catalyst SD-WAN Controllers are at risk. Customers should review /var/log/auth.log for suspicious “Accepted publickey for vmanage-admin” entries from unknown IPs and verify them against authorized System IPs in the web UI. All control peering events, especially vManage, must be manually validated for unusual timing, IPs, or device roles. If compromise is suspected, open a TAC case and collect admin-tech files. There are no full workarounds; restricting ports 22 and 830 may help temporarily, but upgrading to a fixed release is strongly recommended.
Cisco PSIRT has confirmed limited real-world exploitation of the vulnerability and strongly urges customers to upgrade to a patched software version to address the issue.
“We strongly recommend that you perform the steps outlined in this document. Cisco has also published a hardening guide for Cisco Catalyst SD-WAN deployments located at https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide. It is strongly recommended that any customers who are utilizing the Cisco Catalyst SD-WAN technology follow the guidance provided in this hardening guide.” concludes Cisco Talos. “We also recommend referring to advisories here and here and the Cisco Catalyst SD-WAN threat hunting guide released by our intelligence partners for additional detection guidance.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Cisco Catalyst SD-WAN)
Cisco Talos disclosed that a highly sophisticated threat actor exploited a critical authentication bypass vulnerability in Cisco SD-WAN infrastructure for at least three years before security researchers discovered the zero-day attacks.
The vulnerability, tracked as CVE-2026-20127 with a maximum CVSS severity score of 10.0, allowed unauthenticated remote attackers to gain administrative privileges and add malicious rogue peers to enterprise networks.
Cisco Talos tracks the exploitation activity to UAT-8616, assessing with high confidence that a sophisticated cyber threat actor conducted the campaign targeting network edge devices to establish persistent footholds into high-value organizations including critical infrastructure sectors. Evidence shows malicious activity dates back to at least 2023, with the vulnerability actively exploited as a zero-day throughout that period.
The flaw affects Cisco Catalyst SD-WAN Controller, formerly known as vSmart, and Cisco Catalyst SD-WAN Manager, formerly vManage, in both on-premises and cloud-hosted deployments. The vulnerability stems from broken peering authentication mechanisms that fail to properly validate trust relationships when SD-WAN components establish connections.
Attackers exploited the authentication bypass by sending crafted requests that vulnerable systems accepted as trusted, allowing them to log in as internal, high-privileged, non-root user accounts. This access enabled manipulation of NETCONF configurations, granting control over the entire SD-WAN fabric's network settings including routing policies and device authentication.
The attack chain demonstrated exceptional sophistication. After achieving initial access through CVE-2026-20127, intelligence partners identified that UAT-8616 likely escalated to root privileges by downgrading SD-WAN software to older versions vulnerable to CVE-2022-20775, a path traversal privilege escalation flaw patched in 2022. The attackers then exploited that vulnerability to gain root access before restoring the original software version, effectively covering their tracks while maintaining elevated privileges.
This downgrade-exploit-restore technique evaded detection mechanisms that would flag outdated software or unusual privilege escalations. By reverting to the original version after exploitation, attackers obtained root access while appearing to run current, patched software in routine security audits.
The Australian Signals Directorate's Australian Cyber Security Centre credited with discovering and reporting the vulnerability to Cisco. ACSC published a joint hunt guide warning that malicious actors are targeting Cisco Catalyst SD-WAN deployments globally to add rogue peers, then conduct follow-on actions achieving root access and maintaining persistent control.
CISA issued Emergency Directive 26-03 on Wednesday, requiring Federal Civilian Executive Branch agencies to inventory Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage, apply updates and investigate potential compromise by 5:00 PM ET on Friday. The directive stated exploitation poses an imminent threat to federal networks.
CISA added both CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities catalog. The UK's National Cyber Security Centre issued parallel warnings urging organizations to urgently investigate exposure and hunt for malicious activity using international partner guidance.
Cisco released patches for all affected software versions. The company said upgrading to fixed releases represents the only complete remediation, as no workarounds exist. Versions 20.11, 20.13, 20.14, 20.16 and versions prior to 20.9 have reached end-of-life and will not receive patches, requiring organizations to upgrade to supported releases.
Talos identified high-fidelity indicators of UAT-8616 compromise including creation, usage and deletion of malicious user accounts with absent bash and CLI history, interactive root sessions on production systems with unaccounted SSH keys and known hosts, unauthorized SSH keys for the vmanage-admin account, abnormally small or empty logs, evidence of log clearing or truncation, and presence of CLI history files for users without corresponding bash history.
Organizations using Cisco Catalyst SD-WAN should immediately check for control connection peering events in logs, as this may indicate attempted exploitation. The most critical indicator is any unexpected peering event, particularly from unknown or unverified sources attempting to join the SD-WAN control plane.
This latest campaign follows a pattern of threat actors targeting network infrastructure devices that provide strategic access to enterprise environments. Compromising SD-WAN controllers offers exceptional operational leverage because these systems manage routing, policy enforcement and device authentication across distributed networks.
Talos stated SD-WAN management interfaces must never be exposed to the internet, yet organizations with internet-facing management planes face the greatest compromise risk. The targeting demonstrates continuing trends where advanced threat actors prioritize control-plane technologies over endpoints, recognizing that infrastructure compromise yields broader network access.
The three-year exploitation window before discovery also shows the detection challenges for infrastructure vulnerabilities. Unlike endpoint malware generating behavioral signatures, authentication bypasses in management systems may produce minimal forensic evidence, especially when attackers employ techniques like software version manipulation to evade monitoring.
Organizations should follow Cisco's hardening guidance, implement robust logging with external storage, regularly audit SD-WAN peering configurations, restrict management interface access, and conduct thorough compromise assessments using indicators provided in the joint hunt guide from CISA, NCSC and Australian authorities.
A implementação de redes de longa distância definidas por software (Software-Defined Wide Area Networks, SD-WANs) aumenta a eficiência operacional, reduz custos e melhora a segurança. Esses impactos são tão significativos que, às vezes, podem ser observados em escala nacional. De acordo com o artigo The Transformative Impact of SD-WAN on Society and Global Development (O impacto transformador das SD-WANs na sociedade e no desenvolvimento global) publicado no International Journal for Multidisciplinary Research, a adoção dessa tecnologia pode resultar em aumento de 1,38% no PIB de países em desenvolvimento. No nível corporativo, os efeitos são ainda mais evidentes. Por exemplo, na fabricação industrial moderna e profundamente digitalizada, pode reduzir o tempo de inatividade não planejado em 25%.
Além disso, os projetos de implementação de SD-WAN não apenas proporcionam um rápido retorno do investimento, como também continuam a oferecer benefícios adicionais e maior eficiência conforme a solução recebe atualizações e novas versões são lançadas. Para demonstrar isso, apresentamos o novo Kaspersky SD-WAN 2.5 e seus recursos mais relevantes.
Esse é um recurso clássico de SD-WAN e uma das principais vantagens competitivas da tecnologia. O roteamento do tráfego depende da natureza e da localização do aplicativo corporativo, mas também leva em conta as prioridades atuais e as condições da rede: em alguns casos, a confiabilidade é essencial; em outros, a velocidade ou a baixa latência são o fator decisivo. A nova versão do Kaspersky SD-WAN aprimora o algoritmo e passa a incluir dados detalhados sobre a perda de tráfego em cada caminho possível. Isso garante o funcionamento estável de serviços críticos em redes geograficamente distribuídas, por exemplo, ao reduzir falhas em videoconferências nacionais de grande escala. O mais importante é que esse aumento de confiabilidade vem acompanhado da redução da carga de trabalho de engenheiros de rede e equipes de suporte, já que o processo de adaptação de rotas é completamente automatizado.
Esse recurso otimiza a velocidade de resolução de nomes de domínio e ajuda a manter as políticas de segurança para diferentes tipos de aplicativos. Por exemplo, as solicitações relacionadas à infraestrutura em nuvem do MS Office são encaminhadas diretamente do escritório local à CDN da Microsoft, enquanto os nomes de servidores da rede interna são resolvidos por meio do servidor DNS corporativo. Essa abordagem melhora significativamente a velocidade de estabelecimento das conexões e elimina a necessidade de configurar manualmente os roteadores em cada escritório. Em vez disso, uma única política unificada é suficiente para toda a rede.
Qualquer reconfiguração de rede em larga escala aumenta o risco de interrupções (mesmo que breves) e falhas. Para garantir que esse tipo de evento não prejudique processos críticos de negócios, qualquer alteração de política no Kaspersky SD-WAN pode ser programada para um horário específico. Quer alterar as configurações de roteadores em cem escritórios ao mesmo tempo? Programe a alteração para as 2h no horário local ou para a manhã de sábado. Isso elimina a necessidade de a equipe regional de TI estar fisicamente presente durante a implementação.
A análise do roteamento BGP agora pode ser realizada inteiramente pela interface gráfica do orquestrador. Surgiu um loop de roteamento repentinamente em algum ponto entre os escritórios de Milão e Paris? Em vez de acessar cada equipamento em todos os escritórios e nós intermediários via SSH, você agora pode identificar e resolver o problema por meio de uma única interface, reduzindo significativamente o tempo de inatividade.
Se o equipamento de rede em um escritório precisar ser substituído, agora é possível manter todas as configurações existentes ao substituí-lo. O técnico no escritório simplesmente conecta a nova unidade CPE, e o orquestrador do Kaspersky SD-WAN restaura automaticamente todas as políticas e túneis no dispositivo. Isso oferece vários benefícios imediatos: reduz significativamente o tempo de inatividade; a substituição pode ser realizada por um técnico sem conhecimento aprofundado de protocolos de rede; e diminui consideravelmente a probabilidade de falhas adicionais causadas por erros de configuração manual.
Embora frequentemente seja o canal de comunicação corporativa mais rápido e econômico de implantar, o LTE apresenta uma desvantagem: a instabilidade. Tanto a cobertura celular quanto a velocidade operacional podem variar com frequência, exigindo que os engenheiros de rede tomem providências, como realocar o CPE para uma área com melhor sinal. Agora, você pode tomar essas decisões com base em dados de diagnóstico coletados diretamente pelo orquestrador. Ele exibe os parâmetros de serviço dos dispositivos LTE conectados, incluindo o nível de intensidade do sinal.
Para empresas com os requisitos mais rigorosos de tolerância a falhas e tempo de recuperação, estão disponíveis, mediante solicitação especial, variantes de CPE especializadas e equipadas com uma pequena fonte interna de energia. Em casos de queda de energia, o CPE poderá enviar dados detalhados sobre o tipo de falha para o orquestrador. Isso dá aos administradores tempo para investigar a causa e resolver o problema muito mais rapidamente.
Estas são apenas algumas das inovações do Kaspersky SD-WAN. Outros recursos incluem a capacidade de configurar políticas de segurança para conexões com a porta de console do CPE, além do suporte a redes de grande escala com mais de 2 mil CPEs e balanceamento de carga entre múltiplos orquestradores. Para saber mais sobre como todos esses novos recursos aumentam o valor do SD-WAN para a sua organização, nossos especialistas estão disponíveis para oferecer uma demonstração personalizada.
Entrar