Cisco SD-WAN Zero-Day Under Exploitation for 3 Years
Summary
Cisco disclosed a maximum-severity authentication-bypass zero-day (CVE-2026-20127) in its Catalyst SD-WAN Controller that has been exploited in the wild for at least three years. The flaw carries a CVSS score of 10 and allows an attacker to send crafted requests to log in as a high-privileged, non-root internal user.
Investigations by Cisco Talos and international partners linked the activity to a highly sophisticated actor tracked as UAT-8616. The attacker reportedly added rogue peers, used the product’s update mechanism to downgrade controllers, then exploited an older local privilege-escalation bug (CVE-2022-20775) to gain root and persist. Observed activity was limited to SD-WAN components with no clear lateral movement or C2 malware detected.
US CISA issued an emergency directive requiring federal agencies to patch this zero-day (and the older CVE-2022-20775) within a short timeframe. Cisco and partner agencies published a threat-hunting guide and recommended immediate patching, restricting Internet exposure, disabling HTTP admin access and checking for signs of compromise such as rogue peering or unexpected downgrades.
Key Points
- CVE-2026-20127 is an authentication-bypass zero-day in Cisco Catalyst SD-WAN Controller with CVSS 10.
- Exploitation activity dates back to at least 2023; tracked by Cisco Talos as UAT-8616.
- Attackers added rogue peers, downgraded software to exploit CVE-2022-20775, and escalated to root for persistence.
- CISA issued an emergency directive requiring rapid patching for federal agencies.
- Observed compromises were contained to SD-WAN components with no evidence of lateral movement or C2 malware.
- Cisco advises immediate updates, restricting Internet-exposed controllers, disabling HTTP admin access and changing default credentials.
Context and Relevance
This is a major alert for network teams, cloud architects and security operations: SD-WAN controllers are a high-value target because they sit in the network control plane and can be abused to persist or manipulate traffic. The incident reinforces an ongoing trend of threat actors targeting edge and network-management devices to establish footholds in critical organisations.
The involvement of international agencies (CISA, NSA, Australian Cyber Security Centre) and the emergency directive underscores the urgency — this isn’t just another patch Tuesday item. The attack technique (downgrade to exploit older bugs) is notable because it shows attackers chaining vulnerabilities and abusing update mechanisms, which makes detection harder and remediation more involved.
Organisations should treat this as a priority: apply Cisco’s fixed versions, audit controllers for rogue peering and unexpected version changes, harden access (firewalls, remove public exposure, disable HTTP UI) and enable centralised logging to support hunts and forensic checks.
Author style
Punchy: this write-up cuts to the core risks and steps you need now. If your estate uses Cisco SD-WAN, the detail matters — the advisory, the threat-hunt guide and the CISA directive give you the playbook for detection and remediation.
Why should I read this?
Short and blunt: if you run Cisco SD-WAN, this is urgent. The bug’s been quietly abused for years and attackers used clever downgrade-and-escalate tricks. Read this so you can patch fast, check for rogue peers, and stop a nasty persistent foothold turning into a full-blown outage or data theft. We’ve done the hard work of pulling the timeline and mitigation tips together — save yourself the digging.