Cisco Talos disclosed that a highly sophisticated threat actor exploited a critical authentication bypass vulnerability in Cisco SD-WAN infrastructure for at least three years before security researchers discovered the zero-day attacks.
The vulnerability, tracked as CVE-2026-20127 with a maximum CVSS severity score of 10.0, allowed unauthenticated remote attackers to gain administrative privileges and add malicious rogue peers to enterprise networks.
Cisco Talos tracks the exploitation activity to UAT-8616, assessing with high confidence that a sophisticated cyber threat actor conducted the campaign targeting network edge devices to establish persistent footholds into high-value organizations including critical infrastructure sectors. Evidence shows malicious activity dates back to at least 2023, with the vulnerability actively exploited as a zero-day throughout that period.
The flaw affects Cisco Catalyst SD-WAN Controller, formerly known as vSmart, and Cisco Catalyst SD-WAN Manager, formerly vManage, in both on-premises and cloud-hosted deployments. The vulnerability stems from broken peering authentication mechanisms that fail to properly validate trust relationships when SD-WAN components establish connections.
Attackers exploited the authentication bypass by sending crafted requests that vulnerable systems accepted as trusted, allowing them to log in as internal, high-privileged, non-root user accounts. This access enabled manipulation of NETCONF configurations, granting control over the entire SD-WAN fabric's network settings including routing policies and device authentication.
Downgrade-Penetrate-Upgrade
The attack chain demonstrated exceptional sophistication. After achieving initial access through CVE-2026-20127, intelligence partners identified that UAT-8616 likely escalated to root privileges by downgrading SD-WAN software to older versions vulnerable to CVE-2022-20775, a path traversal privilege escalation flaw patched in 2022. The attackers then exploited that vulnerability to gain root access before restoring the original software version, effectively covering their tracks while maintaining elevated privileges.
This downgrade-exploit-restore technique evaded detection mechanisms that would flag outdated software or unusual privilege escalations. By reverting to the original version after exploitation, attackers obtained root access while appearing to run current, patched software in routine security audits.
Australian Cyber Defenders Credited for the Findings
The Australian Signals Directorate's Australian Cyber Security Centre credited with discovering and reporting the vulnerability to Cisco. ACSC published a joint hunt guide warning that malicious actors are targeting Cisco Catalyst SD-WAN deployments globally to add rogue peers, then conduct follow-on actions achieving root access and maintaining persistent control.
CISA and Others Scramble to Patch
CISA issued Emergency Directive 26-03 on Wednesday, requiring Federal Civilian Executive Branch agencies to inventory Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage, apply updates and investigate potential compromise by 5:00 PM ET on Friday. The directive stated exploitation poses an imminent threat to federal networks.
CISA added both CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities catalog. The UK's National Cyber Security Centre issued parallel warnings urging organizations to urgently investigate exposure and hunt for malicious activity using international partner guidance.
Cisco released patches for all affected software versions. The company said upgrading to fixed releases represents the only complete remediation, as no workarounds exist. Versions 20.11, 20.13, 20.14, 20.16 and versions prior to 20.9 have reached end-of-life and will not receive patches, requiring organizations to upgrade to supported releases.
Indicators to Lookout for
Talos identified high-fidelity indicators of UAT-8616 compromise including creation, usage and deletion of malicious user accounts with absent bash and CLI history, interactive root sessions on production systems with unaccounted SSH keys and known hosts, unauthorized SSH keys for the vmanage-admin account, abnormally small or empty logs, evidence of log clearing or truncation, and presence of CLI history files for users without corresponding bash history.
Organizations using Cisco Catalyst SD-WAN should immediately check for control connection peering events in logs, as this may indicate attempted exploitation. The most critical indicator is any unexpected peering event, particularly from unknown or unverified sources attempting to join the SD-WAN control plane.
This latest campaign follows a pattern of threat actors targeting network infrastructure devices that provide strategic access to enterprise environments. Compromising SD-WAN controllers offers exceptional operational leverage because these systems manage routing, policy enforcement and device authentication across distributed networks.
Talos stated SD-WAN management interfaces must never be exposed to the internet, yet organizations with internet-facing management planes face the greatest compromise risk. The targeting demonstrates continuing trends where advanced threat actors prioritize control-plane technologies over endpoints, recognizing that infrastructure compromise yields broader network access.
The three-year exploitation window before discovery also shows the detection challenges for infrastructure vulnerabilities. Unlike endpoint malware generating behavioral signatures, authentication bypasses in management systems may produce minimal forensic evidence, especially when attackers employ techniques like software version manipulation to evade monitoring.
Organizations should follow Cisco's hardening guidance, implement robust logging with external storage, regularly audit SD-WAN peering configurations, restrict management interface access, and conduct thorough compromise assessments using indicators provided in the joint hunt guide from CISA, NCSC and Australian authorities.
Entrar
