Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities
Cisco and U.S./U.K./Five Eyes cyber agencies warned of an ongoing campaign targeting Cisco Catalyst SD-WAN deployments, with exploitation confirmed dating back to at least 2023 and attributed by Cisco to a highly sophisticated actor tracked as UAT-8616. The activity has been described as posing an “unacceptable” risk to federal networks and broader global environments because compromise of SD-WAN/edge infrastructure can enable deep network access, traffic interception, and operational disruption.
Cisco updated its advisories to state that CVE-2026-20127 (critical auth bypass) has been exploited as a zero-day, enabling attackers to compromise SD-WAN controllers and add rogue peers that appear legitimate to facilitate further intrusion. Cisco also flagged additional Catalyst SD-WAN Manager (vManage) issues as actively exploited: CVE-2026-20122 (high-severity arbitrary file overwrite requiring valid read-only/API credentials) and CVE-2026-20128 (information disclosure requiring local access with valid vManage credentials). Agencies and Cisco urged urgent mitigation including inventorying affected devices, applying fixed releases/patches, retaining and reviewing logs, and hunting for indicators of compromise; CISA also issued Emergency Directive 26-03 for federal agencies.
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
5 more from sources like centripetal threat research, the hacker news, bleeping computer, help net security and scworld
Related Stories
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
3 days ago
Active exploitation of Cisco Catalyst SD-WAN authentication bypass (CVE-2026-20127)
Government and vendor advisories warned of **active, in-the-wild exploitation** of a critical **improper authentication / authentication bypass** vulnerability in **Cisco Catalyst SD-WAN** (tracked as `CVE-2026-20127`) affecting the **Catalyst SD-WAN Controller** (formerly *vSmart*) and related SD-WAN components. The flaw is in the **peering authentication process** and can allow an **unauthenticated remote attacker** to send crafted requests that result in access as an internal, high-privileged (non-root) administrative account, enabling actions such as **NETCONF access** and manipulation of SD-WAN fabric configuration; multiple national CERT/CSIRT bodies (including Canada’s Cyber Centre and France’s CERT-FR) urged immediate patching or migration off end-of-maintenance releases, noting some affected trains will not receive fixes. Cisco Talos attributed observed exploitation and post-compromise activity to a sophisticated actor tracked as **UAT-8616**, with evidence suggesting activity dating back to **2023**. Partner reporting and CISA guidance described a broader intrusion chain in which actors use `CVE-2026-20127` for initial access, then escalate privileges and persistence—reportedly including **software version downgrade** tactics and subsequent exploitation of `CVE-2022-20775`—leading to **root access** and long-term footholds in SD-WAN environments. CISA added both `CVE-2026-20127` and `CVE-2022-20775` to the **Known Exploited Vulnerabilities (KEV)** catalog and, via **Emergency Directive ED 26-03**, required U.S. FCEB agencies to inventory in-scope Cisco SD-WAN systems, collect forensic artifacts (e.g., snapshots/logs), patch, and assess for compromise; international partners echoed similar hunt-and-mitigate actions.
2 weeks ago
Actively Exploited Critical Vulnerabilities in Cisco Secure Firewall and Catalyst SD-WAN Manager
Belgium’s CCB (Safeonweb) warned of **multiple critical vulnerabilities** across several **Cisco** products—specifically calling out **Cisco Secure Firewall** (including *Adaptive Security Appliance (ASA)*, *Firepower Management Center (FMC)*, and *Firepower Threat Defense (FTD)*) and **Cisco Catalyst SD-WAN Manager**—and stated that **some vulnerabilities are being actively exploited**, urging immediate patching. The advisory lists a broad set of weakness classes including **authentication bypass** (`CWE-288`/`CWE-287`), **deserialization of untrusted data** (`CWE-502`), **buffer overflow** (`CWE-120`), **SQL injection** (`CWE-89`), and **sensitive information exposure** (`CWE-200`), and highlights multiple CVEs including **CVE-2026-20079** and **CVE-2026-20131** with **CVSS 10.0**. A separate advisory from the Center for Internet Security (CIS) also reported **multiple vulnerabilities in Cisco products** that could enable **remote code execution**, enumerating a large set of related CVEs (including **CVE-2026-20001**, **CVE-2026-20002**, **CVE-2026-20003**, and **CVE-2026-20039**). Taken together, the advisories indicate a high-risk patching priority for organizations running affected Cisco network/security management and firewall platforms, particularly where internet exposure or untrusted management-plane access could make exploitation more likely.
1 weeks ago