Cisco Catalyst SD-WAN Exploitation Advisory and KEV Additions
Government and industry reporting highlighted active exploitation of Cisco Catalyst SD-WAN vulnerabilities, with an NCSC-and-partners advisory calling attention to real-world abuse and operational guidance for defenders. Related coverage also pointed to U.S. CISA adding Cisco SD-WAN issues to the Known Exploited Vulnerabilities (KEV) catalog and reporting that attackers have leveraged a Cisco SD-WAN zero-day since 2023 to obtain full administrative control, reinforcing the need for rapid patching, exposure reduction, and validation of device configurations and access controls.
Other items in the provided material were not part of this specific SD-WAN exploitation story: one was a general newsletter roundup that aggregates many unrelated security headlines, another was a generic IoT security advice article using mixed examples (including an AVTECH camera CVE and Colonial Pipeline), and another was a conference write-up focused on Linux filesystem journal forensics tooling (FJTA) rather than a specific incident or vulnerability exploitation campaign.
Related Entities
Organizations
Sources
Related Stories
Active exploitation of Cisco Catalyst SD-WAN authentication bypass (CVE-2026-20127)
Government and vendor advisories warned of **active, in-the-wild exploitation** of a critical **improper authentication / authentication bypass** vulnerability in **Cisco Catalyst SD-WAN** (tracked as `CVE-2026-20127`) affecting the **Catalyst SD-WAN Controller** (formerly *vSmart*) and related SD-WAN components. The flaw is in the **peering authentication process** and can allow an **unauthenticated remote attacker** to send crafted requests that result in access as an internal, high-privileged (non-root) administrative account, enabling actions such as **NETCONF access** and manipulation of SD-WAN fabric configuration; multiple national CERT/CSIRT bodies (including Canada’s Cyber Centre and France’s CERT-FR) urged immediate patching or migration off end-of-maintenance releases, noting some affected trains will not receive fixes. Cisco Talos attributed observed exploitation and post-compromise activity to a sophisticated actor tracked as **UAT-8616**, with evidence suggesting activity dating back to **2023**. Partner reporting and CISA guidance described a broader intrusion chain in which actors use `CVE-2026-20127` for initial access, then escalate privileges and persistence—reportedly including **software version downgrade** tactics and subsequent exploitation of `CVE-2022-20775`—leading to **root access** and long-term footholds in SD-WAN environments. CISA added both `CVE-2026-20127` and `CVE-2022-20775` to the **Known Exploited Vulnerabilities (KEV)** catalog and, via **Emergency Directive ED 26-03**, required U.S. FCEB agencies to inventory in-scope Cisco SD-WAN systems, collect forensic artifacts (e.g., snapshots/logs), patch, and assess for compromise; international partners echoed similar hunt-and-mitigate actions.
2 weeks ago
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities
Cisco and U.S./U.K./Five Eyes cyber agencies warned of an ongoing campaign targeting **Cisco Catalyst SD-WAN** deployments, with exploitation confirmed dating back to at least 2023 and attributed by Cisco to a highly sophisticated actor tracked as **UAT-8616**. The activity has been described as posing an “unacceptable” risk to federal networks and broader global environments because compromise of SD-WAN/edge infrastructure can enable deep network access, traffic interception, and operational disruption. Cisco updated its advisories to state that **CVE-2026-20127** (critical auth bypass) has been exploited as a zero-day, enabling attackers to compromise SD-WAN controllers and add **rogue peers** that appear legitimate to facilitate further intrusion. Cisco also flagged additional *Catalyst SD-WAN Manager (vManage)* issues as actively exploited: **CVE-2026-20122** (high-severity arbitrary file overwrite requiring valid read-only/API credentials) and **CVE-2026-20128** (information disclosure requiring local access with valid vManage credentials). Agencies and Cisco urged urgent mitigation including inventorying affected devices, applying fixed releases/patches, retaining and reviewing logs, and hunting for indicators of compromise; CISA also issued **Emergency Directive `26-03`** for federal agencies.
1 weeks ago
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
3 days ago