Active exploitation of Cisco Catalyst SD-WAN authentication bypass (CVE-2026-20127)
Government and vendor advisories warned of active, in-the-wild exploitation of a critical improper authentication / authentication bypass vulnerability in Cisco Catalyst SD-WAN (tracked as CVE-2026-20127) affecting the Catalyst SD-WAN Controller (formerly vSmart) and related SD-WAN components. The flaw is in the peering authentication process and can allow an unauthenticated remote attacker to send crafted requests that result in access as an internal, high-privileged (non-root) administrative account, enabling actions such as NETCONF access and manipulation of SD-WAN fabric configuration; multiple national CERT/CSIRT bodies (including Canada’s Cyber Centre and France’s CERT-FR) urged immediate patching or migration off end-of-maintenance releases, noting some affected trains will not receive fixes.
Cisco Talos attributed observed exploitation and post-compromise activity to a sophisticated actor tracked as UAT-8616, with evidence suggesting activity dating back to 2023. Partner reporting and CISA guidance described a broader intrusion chain in which actors use CVE-2026-20127 for initial access, then escalate privileges and persistence—reportedly including software version downgrade tactics and subsequent exploitation of CVE-2022-20775—leading to root access and long-term footholds in SD-WAN environments. CISA added both CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities (KEV) catalog and, via Emergency Directive ED 26-03, required U.S. FCEB agencies to inventory in-scope Cisco SD-WAN systems, collect forensic artifacts (e.g., snapshots/logs), patch, and assess for compromise; international partners echoed similar hunt-and-mitigate actions.
Related Entities
Vulnerabilities
Threat Actors
Sources
5 more from sources like security affairs, socradar blog, secpod blog and thecyberexpress com vulnerabilities
Related Stories
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
3 days ago
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities
Cisco and U.S./U.K./Five Eyes cyber agencies warned of an ongoing campaign targeting **Cisco Catalyst SD-WAN** deployments, with exploitation confirmed dating back to at least 2023 and attributed by Cisco to a highly sophisticated actor tracked as **UAT-8616**. The activity has been described as posing an “unacceptable” risk to federal networks and broader global environments because compromise of SD-WAN/edge infrastructure can enable deep network access, traffic interception, and operational disruption. Cisco updated its advisories to state that **CVE-2026-20127** (critical auth bypass) has been exploited as a zero-day, enabling attackers to compromise SD-WAN controllers and add **rogue peers** that appear legitimate to facilitate further intrusion. Cisco also flagged additional *Catalyst SD-WAN Manager (vManage)* issues as actively exploited: **CVE-2026-20122** (high-severity arbitrary file overwrite requiring valid read-only/API credentials) and **CVE-2026-20128** (information disclosure requiring local access with valid vManage credentials). Agencies and Cisco urged urgent mitigation including inventorying affected devices, applying fixed releases/patches, retaining and reviewing logs, and hunting for indicators of compromise; CISA also issued **Emergency Directive `26-03`** for federal agencies.
1 weeks ago
Actively Exploited Critical Vulnerabilities in Cisco Secure Firewall and Catalyst SD-WAN Manager
Belgium’s CCB (Safeonweb) warned of **multiple critical vulnerabilities** across several **Cisco** products—specifically calling out **Cisco Secure Firewall** (including *Adaptive Security Appliance (ASA)*, *Firepower Management Center (FMC)*, and *Firepower Threat Defense (FTD)*) and **Cisco Catalyst SD-WAN Manager**—and stated that **some vulnerabilities are being actively exploited**, urging immediate patching. The advisory lists a broad set of weakness classes including **authentication bypass** (`CWE-288`/`CWE-287`), **deserialization of untrusted data** (`CWE-502`), **buffer overflow** (`CWE-120`), **SQL injection** (`CWE-89`), and **sensitive information exposure** (`CWE-200`), and highlights multiple CVEs including **CVE-2026-20079** and **CVE-2026-20131** with **CVSS 10.0**. A separate advisory from the Center for Internet Security (CIS) also reported **multiple vulnerabilities in Cisco products** that could enable **remote code execution**, enumerating a large set of related CVEs (including **CVE-2026-20001**, **CVE-2026-20002**, **CVE-2026-20003**, and **CVE-2026-20039**). Taken together, the advisories indicate a high-risk patching priority for organizations running affected Cisco network/security management and firewall platforms, particularly where internet exposure or untrusted management-plane access could make exploitation more likely.
1 weeks ago