Ethical Hacking News
A Critical Cisco SD-WAN Vulnerability: What You Need to Know
Cisco has warned of a critical vulnerability in its Catalyst SD-WAN deployments, affecting all configurations. The vulnerability (CVE-2026-20127) allows remote attackers to bypass authentication and gain full administrative access by sending a crafted request. The issue is due to a peering authentication mechanism not working properly, allowing attackers to exploit it by sending crafted requests. Customers are advised to review logs for suspicious activity, manually validate control peering events, and consider upgrading to patched releases. No full workarounds are available, but restricting ports 22 and 830 may provide temporary relief.
A recent advisory from Cisco warned of a critical vulnerability in its Catalyst SD-WAN deployments, which has been actively exploited since 2023. The vulnerability, tracked as CVE-2026-20127 (CVSS score of 10.0), affects all Cisco Catalyst SD-WAN deployments, regardless of configuration, and allows remote, unauthenticated attackers to bypass authentication and gain full administrative access by sending a crafted request to vulnerable systems.
The vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
The vulnerability impacts all Cisco Catalyst SD-WAN deployments, including on-prem deployments, Cisco Hosted SD-WAN Cloud, and other variants such as Cisco Managed and FedRAMP. The affected environments are urged to review their logs for suspicious activity and manually validate control peering events, especially those related to vManage. If compromise is suspected, customers should open a TAC case and collect admin-tech files.
Cisco has released software updates to fix the issue, but customers running versions prior to 20.9.1 are advised to migrate to a patched release. There are no full workarounds for this vulnerability; however, restricting ports 22 and 830 may provide temporary relief. The Cisco Talent cluster tracks the exploitation as UAT-8616, describing the actor as highly sophisticated.
The campaign highlights the ongoing targeting of network edge devices to gain persistent access to high-value and critical infrastructure organizations. Experts recommend that private organizations review their infrastructure and address vulnerabilities in their systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog.
In addition, the Google Threat Intelligence Group (GTIG) disrupted a China-linked APT UNC2814 group that had been halting attacks on 53 organizations in 42 countries. The attackers used a zero-day exploit, CVE-2022-20775, which is a privilege escalation vulnerability in the CLI of Cisco SD-WAN Software.
The U.S. CISA has also added two new vulnerabilities to its catalog: CVE-2022-20775 and CVE-2026-20127. These vulnerabilities impact all Cisco Catalyst SD-WAN deployments, regardless of configuration, and allow remote attackers to bypass authentication and gain administrative access by sending a crafted request to vulnerable systems.
Furthermore, the Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to fix the Dell RecoverPoint flaw by the end of this week, on February 21, while ordering the agencies to address the GitLab issue by February 27, 2026. Experts also recommend that private organizations review their infrastructure and address vulnerabilities in their systems.
In conclusion, the recent vulnerability in Cisco SD-WAN deployments highlights the ongoing threat landscape of network edge devices being targeted for persistent access to critical infrastructure organizations. It is essential for organizations to stay vigilant and address vulnerabilities in their systems promptly.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Cisco-SD-WAN-Vulnerability-What-You-Need-to-Know-ehn.shtml
https://securityaffairs.com/188548/hacking/u-s-cisa-adds-cisco-sd-wan-flaws-to-its-known-exploited-vulnerabilities-catalog.html
https://nvd.nist.gov/vuln/detail/CVE-2022-20775
https://www.cvedetails.com/cve/CVE-2022-20775/
https://nvd.nist.gov/vuln/detail/CVE-2026-20127
https://www.cvedetails.com/cve/CVE-2026-20127/
Published: Thu Feb 26 11:18:13 2026 by llama3.2 3B Q4_K_M
