Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Critical Cisco SD-WAN Bug Exploited in Zero-Day Attacks Since 2023: A Growing Threat to Enterprise Networks


Critical Cisco SD-WAN Bug Exploited in Zero-Day Attacks Since 2023: A Growing Threat to Enterprise Networks

A critical vulnerability in Cisco's SD-WAN technology has been exploited by hackers in zero-day attacks, putting entire enterprise networks at risk. Learn more about this growing threat and how organizations can take proactive measures to protect themselves.

  • Cisco's SD-WAN technology has a critical vulnerability (CVE-2026-20127) that allows remote attackers to compromise controllers and add malicious peers to targeted networks.
  • The Australian Signals Directorate's ACSC reported the vulnerability, which has a maximum severity of 10.0 and affects both on-prem and SD-WAN Cloud installations.
  • Admins should audit /var/log/auth.log for entries showing "Accepted publickey for vmanage-admin" from unknown IP addresses to detect exploitation.
  • Indicators of compromise (IoCs) include malicious user accounts, unauthorized SSH keys, and log tampering or software downgrades.
  • Organizations should restrict network exposure, place SD-WAN components behind firewalls, and apply Cisco's hardening guidance to mitigate the threat.



    • In recent months, cybersecurity experts have been sounding the alarm about a critical vulnerability in Cisco's SD-WAN technology that has been exploited by hackers in zero-day attacks. The bug, tracked as CVE-2026-20127, affects Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in both on-prem and SD-WAN Cloud installations. This vulnerability has been actively exploited since 2023, allowing remote attackers to compromise controllers and add malicious rogue peers to targeted networks.

    The Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) is credited with reporting the vulnerability, which has a maximum severity of 10.0. The impact of this bug cannot be overstated, as it puts entire enterprise networks at risk. According to Cisco, administrators should audit /var/log/auth.log for entries showing "Accepted publickey for vmanage-admin" from unknown IP addresses.

    To understand the scope of the threat posed by this vulnerability, it's essential to examine some of the indicators of compromise (IoCs) shared by Talos and government advisories. These IoCs include the creation and deletion of malicious user accounts, unexpected root logins, unauthorized SSH keys in the vmanage-admin or root accounts, and changes that enable PermitRootLogin. Additionally, administrators should look for unusually small or missing log files, which may indicate log tampering, as well as software downgrades and reboots, which may indicate exploitation of CVE-2022-20775 to gain root privileges.

    The severity of the threat posed by this vulnerability cannot be overstated. As CISA recommends analyzing the following logs to check for exploitation of CVE-2022-20775:

    /var/volatile/log/vdebug
    /var/log/tmplog/vdebug
    /var/volatile/log/sw_script_synccdb.log

    If a root account was compromised, agencies should deploy fresh installs rather than attempting to clean the existing infrastructure. Furthermore, organizations are advised to treat unexpected peering events or unexplained controller activity as potential indicators of compromise and investigate them immediately.

    In light of these findings, both CISA and the UK NCSC recommend restricting network exposure, placing SD-WAN control components behind firewalls, isolating management interfaces, forwarding logs to external systems, and applying Cisco's hardening guidance. This should be considered a top priority for all organizations that use Cisco Catalyst SD-WAN technology.

    It is worth noting that the exploitation of this vulnerability highlights the critical importance of proactive cybersecurity measures in today's threat landscape. Organizations must prioritize the implementation of robust security protocols and keep their software up-to-date to minimize the risk of falling victim to such attacks.

    In conclusion, the critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 is a significant concern for organizations that use this technology. It emphasizes the need for proactive cybersecurity measures and highlights the importance of staying informed about emerging threats in order to protect against them.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Critical-Cisco-SD-WAN-Bug-Exploited-in-Zero-Day-Attacks-Since-2023-A-Growing-Threat-to-Enterprise-Networks-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/

  • https://www.helpnetsecurity.com/2026/02/25/cisco-sd-wan-zero-day-cve-2026-20127/

  • https://blog.talosintelligence.com/uat-8616-sd-wan/

  • https://nvd.nist.gov/vuln/detail/CVE-2022-20775

  • https://www.cvedetails.com/cve/CVE-2022-20775/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-20127

  • https://www.cvedetails.com/cve/CVE-2026-20127/


    • Published: Wed Feb 25 12:20:14 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us