Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Cisco SD-WAN Vulnerability: A Growing Concern for Cybersecurity Experts


A zero-day vulnerability has been discovered in Cisco SD-WAN, allowing attackers to bypass authentication and obtain administrative privileges on the affected system. The vulnerability affects various deployment types and has been tracked as CVE-2026-20127. Cisco has released patches for affected versions, and federal agencies are required to apply the fixes within 24 hours.

  • Cisco SD-WAN has been hit by a zero-day vulnerability (CVE-2026-20127) that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges.
  • The vulnerability exists in the peering authentication mechanism and can be exploited via ports exposed to the internet.
  • The affected deployment types include On-Prem, Cisco Hosted SD-WAN Cloud, and FedRAMP Environment.
  • Cisco has released fixed versions of their Catalyst SD-WAN software, starting from version 20.9-20.9.8.2.
  • Customers are advised to audit the "/var/log/auth.log" file for suspicious entries and check System IPs against configured values in the Cisco Catalyst SD-WAN Manager web UI.
  • The vulnerability has been exploited by a highly sophisticated cyber threat actor, UAT-8616, since 2023, allowing it to gain elevated access to affected systems.
  • CISA has added both CVE-2022-20775 and CVE-2026-20127 to its Known Exploited Vulnerabilities catalog and issued an emergency directive for federal agencies to apply fixes within 24 hours.



    • Cisco SD-WAN has recently been hit by a zero-day vulnerability, tracked as CVE-2026-20127. This maximum-severity security flaw allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected system by sending a crafted request to an affected system.

    The vulnerability exists because the peering authentication mechanism in an affected system is not working properly. According to Cisco, the threat actor could leverage the non-root user account to access NETCONF and manipulate network configuration for the SD-WAN fabric.

    The shortcoming affects the following deployment types, irrespective of the device configuration:

    * On-Prem Deployment
    * Cisco Hosted SD-WAN Cloud
    * Cisco Hosted SD-WAN Cloud - Cisco Managed
    * Cisco Hosted SD-WAN Cloud - FedRAMP Environment

    Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability.

    The networking equipment major is tracking the exploitation and subsequent post-compromise activity under the moniker UAT-8616, describing the cluster as a "highly sophisticated cyber threat actor."

    The vulnerability has been addressed in the following versions of Cisco Catalyst SD-WAN:

    * Prior to version 20.91 - Migrate to a fixed release.
    * Version 20.9 - 20.9.8.2 (Estimated release February 27, 2026)
    * Version 20.111 - 20.12.6.1
    * Version 20.12.5 - 20.12.5.3
    * Version 20.12.6 - 20.12.6.1
    * Version 20.131 - 20.15.4.2
    * Version 20.141 - 20.15.4.2
    * Version 20.15 - 20.15.4.2
    * Version 20.161 - 20.18.2.1
    * Version 20.18 - 20.18.2.1

    "Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.

    The company has also recommended customers to audit the "/var/log/auth.log" file for entries related to "Accepted publickey for vmanage-admin" from unknown or unauthorized IP addresses. It's also advised to check the IP addresses in the auth.log log file against the configured System IPs that are listed in the Cisco Catalyst SD-WAN Manager web UI (WebUI > Devices > System IP).

    According to information released by the ASD-ACSC, UAT-8616 is said to have compromised Cisco SD-WANs since 2023 via the zero-day exploit, allowing it to gain elevated access.

    "The vulnerability allowed a malicious cyber actor to create a rogue peer joined to the network management plane, or control plane, of an organization's SD-WAN," ASD-ACSC said. "The rogue device appears as a new but temporary, actor-controlled SD-WAN component that can conduct trusted actions within the management and control plane."

    After successfully compromising a public-facing application, the attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775 (CVSS score: 7.8), a high-severity privilege escalation bug in the CLI of Cisco SD-WAN Software, and then restoring the software back to the version it was originally running.

    Some of the subsequent steps initiated by the threat actor are as follows:

    * Created local user accounts that mimicked other local user accounts.
    * Added a Secure Shell Protocol (SSH) authorized key for root access and modified SD-WAN-related start-up scripts to customize the environment.
    * Used Network Configuration Protocol on port 830 (NETCONF) and SSH to connect to/between Cisco SD-WAN appliances within the management plane.
    * Took steps to clear evidence of the intrusion by purging logs under "/var/log," command history, and network connection history.

    "UAT-8616's attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high-value organizations, including Critical Infrastructure (CI) sectors," Talos said.

    The development has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add both CVE-2022-20775 and CVE-2026-20127 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the fixes within the next 24 hours.

    To check for version downgrade and unexpected reboot events, CISA recommends analyzing the following logs:

    * /var/volatile/log/vdebug
    * /var/log/tmplog/vdebug
    * /var/volatile/log/sw_script_synccdb.log

    CISA has also issued a new emergency directive, 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems, as part of which federal agencies are required to inventory SD-WAN devices, apply updates, and assess potential compromise.

    To that end, agencies have been ordered to provide a catalog of all in-scope SD-WAN systems on their networks by February 26, 2026, 11:59 p.m. ET. Additionally, they are required to submit a detailed inventory of all in-scope products and actions taken by March 5, 2026, 11:59 p.m. ET. Lastly, the agencies will have to submit the list of all steps taken to harden their environments by March 26, 2026, 11:59 p.m. ET.

    The recent vulnerability in Cisco SD-WAN highlights the importance of regular security audits and updates for network edge devices. Cybersecurity experts recommend that organizations prioritize their cybersecurity posture by investing in robust security measures, including threat intelligence, vulnerability management, and incident response capabilities.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Cisco-SD-WAN-Vulnerability-A-Growing-Concern-for-Cybersecurity-Experts-ehn.shtml

  • https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html

  • https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/


    • Published: Thu Feb 26 01:18:45 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us