Cisco SD-WAN Zero-Day Exploited to Add Rogue Peers and Gain Persistent Root Access
Cisco and multiple government cyber agencies warned that attackers are actively exploiting CVE-2026-20127, a critical CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager. The flaw affects the peering authentication process and lets unauthenticated remote attackers gain administrative access, use NETCONF, and alter SD-WAN fabric configuration, including adding malicious rogue peers. Cisco Talos attributed the activity to a sophisticated cluster tracked as UAT-8616, with evidence suggesting exploitation dates back to at least 2023 and has affected high-value targets, including critical infrastructure and government networks.
Investigators said the intrusions often continued with a downgrade of the appliance software to exploit CVE-2022-20775 for root privilege escalation, after which the original version was restored to help conceal the compromise while maintaining persistence. In response, CISA added both CVEs to the Known Exploited Vulnerabilities catalog and issued Emergency Directive 26-03 for U.S. federal civilian agencies, while the UK NCSC, ACSC, Canadian Centre for Cyber Security, and other partners released joint hunting and hardening guidance. Cisco said there are no complete workarounds, urged immediate upgrades to fixed releases, and advised defenders to review peering events, SSH key activity, version history, and logs for signs of tampering or unauthorized access.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
Cisco flags two more SD-WAN Manager flaws as exploited
On March 5, 2026, Cisco updated its advisory to state that CVE-2026-20122 and CVE-2026-20128 in Catalyst SD-WAN Manager were also being actively exploited in the wild. Cisco urged customers to upgrade to fixed releases but did not provide detailed attribution or attack-chain information for the new exploitation.
Third parties report surge in broad exploitation attempts
Public reporting on March 5-9, 2026 cited telemetry showing a major spike in attack attempts on March 4, suggesting exploitation of Cisco SD-WAN flaws had expanded beyond earlier targeted activity. Reports described many unique source IPs, possible web shell deployment, and more internet-wide scanning against exposed systems.
Cisco plans 20.9.x fix release for unsupported branch gap
CERT-FR reported that while several Cisco Catalyst SD-WAN branches had fixes available on February 25, 2026, the 20.9.x train was scheduled to receive its fix on February 27, 2026. Other end-of-maintenance branches would not receive security patches and required migration to supported versions.
National cyber agencies issue parallel public alerts
On February 25, 2026, agencies including the Canadian Centre for Cyber Security, France's CERT-FR, Finland's NCSC-FI, and the UK's NCSC published alerts warning of active exploitation of Cisco Catalyst SD-WAN. These notices urged immediate upgrades, compromise hunting, and reduction of internet exposure for management and control planes.
CISA adds CVE-2026-20127 and CVE-2022-20775 to KEV
CISA added both Cisco SD-WAN vulnerabilities to its Known Exploited Vulnerabilities catalog on February 25, 2026. The KEV update formally recognized active exploitation and set a federal remediation deadline tied to the emergency directive.
CISA issues Emergency Directive 26-03 for federal agencies
On February 25, 2026, CISA issued ED 26-03, ordering U.S. Federal Civilian Executive Branch agencies to inventory affected Cisco SD-WAN systems, collect forensic artifacts, patch, and assess for compromise. CISA said the ongoing exploitation posed an unacceptable risk to federal networks.
Five Eyes agencies publish joint hunt and mitigation guidance
CISA, NSA, the UK NCSC, ASD/ACSC, and other partners warned that organizations globally were being targeted through Cisco Catalyst SD-WAN and released a joint threat-hunting guide. The guidance documented observed tactics such as rogue peer creation, persistence, log tampering, and recommended hardening and forensic collection.
Talos publicly attributes exploitation cluster as UAT-8616
Cisco Talos published analysis tying the in-the-wild exploitation and post-compromise activity to a sophisticated actor cluster it tracks as UAT-8616. Talos also released threat-hunting guidance and said Snort coverage would be made available.
Cisco discloses CVE-2026-20127 and releases SD-WAN fixes
On February 25, 2026, Cisco published security advisories for critical vulnerabilities in Catalyst SD-WAN Controller and Manager, including CVE-2026-20127, and released fixed software versions. Cisco confirmed the authentication bypass flaw had been exploited in the wild and said there were no complete workarounds.
Australian authorities report Cisco SD-WAN zero-day to Cisco
Australia's ASD/ACSC identified the SD-WAN issue through real-world exploitation and reported the vulnerability to Cisco. This reporting led to vendor investigation and later public disclosure of CVE-2026-20127.
Attackers chain CVE-2026-20127 with CVE-2022-20775 for root access
Post-compromise investigations found the actor likely downgraded Cisco SD-WAN software to a version vulnerable to CVE-2022-20775, exploited it to escalate to root, and then restored the original version. Agencies said this tradecraft helped the actor retain long-term access while reducing obvious signs of tampering.
UAT-8616 begins exploiting Cisco SD-WAN zero-day
Cisco Talos and partner agencies assessed that a sophisticated actor tracked as UAT-8616 had been exploiting the previously undisclosed CVE-2026-20127 since at least 2023. The activity involved adding rogue SD-WAN peers to gain privileged access and establish persistence in victim environments.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
Remediate Catalyst SD-WAN Security Advisory - February 2026 - Cisco
cisco.com
Open sourceCisco Catalyst SD-WAN Vulnerabilities
sec.cloudapps.cisco.com
Open sourceCVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild | Intel 471
intel471.com
Open sourceCisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities
1898advisories.burnsmcd.com
Open sourceFive Eyes allies warn hackers are actively exploiting Cisco SD-WAN flaws | The Record from Recorded Future News
therecord.media
Open sourceCISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
cisa.gov
Open sourceAdd Updated KEV Files for 2026-02-25 · cisagov/kev-data@149f933 · GitHub
github.com
Open sourceCritical Cisco SD-WAN bug exploited in zero-day attacks since 2023
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco SD-WAN Authentication Bypass Exploited for Admin Access and Persistence
Cisco disclosed and patched **CVE-2026-20182**, a critical `CVSS 10.0` authentication bypass flaw in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager** that has been exploited in the wild. The bug affects the `vdaemon` control-plane service over **DTLS/UDP 12346** and allows an unauthenticated attacker to impersonate a trusted peer, gain high-privilege administrative access, reach **NETCONF** on `TCP/830`, and manipulate SD-WAN fabric configuration. Rapid7 said the flaw stems from missing authentication checks when a peer claims to be a vHub device, enabling attackers to inject SSH keys for the `vmanage-admin` account and establish persistent access; Cisco said there are **no workarounds** and released fixed software versions for affected on-premises, cloud, managed-cloud, and FedRAMP deployments. Cisco Talos attributed the most sophisticated exploitation of `CVE-2026-20182` with high confidence to **UAT-8616**, which was observed adding SSH keys, modifying NETCONF settings, and escalating privileges to root, with infrastructure overlap noted with Operational Relay Box networks. Talos also reported broader ongoing attacks against SD-WAN environments, including widespread exploitation of previously disclosed **CVE-2026-20133**, **CVE-2026-20128**, and **CVE-2026-20122** after public proof-of-concept release, leading to deployment of JSP webshells such as **XenShell**, **Godzilla**, and **Behinder**, along with tools including Sliver, AdaptixC2, XMRig, gsocket, and credential-stealing scripts. **CISA added CVE-2026-20182 to the KEV catalog** and ordered federal agencies to remediate quickly, while Cisco and national cyber agencies urged organizations to preserve forensic evidence, review logs for unauthorized peering and `vmanage-admin` public-key logins, and patch all vulnerable control components immediately.
Jun 8, 2026
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
Mar 21, 2026
Cisco Catalyst SD-WAN Manager Zero-Day Exploited for Root Command Execution
Cisco disclosed active exploitation of **CVE-2026-20245**, a high-severity command injection flaw in **Cisco Catalyst SD-WAN Manager** that lets an authenticated attacker with `netadmin` privileges upload a crafted file and execute arbitrary commands as **root**. The vulnerability affects all deployment models, including on-premises, **Cisco SD-WAN Cloud**, Cloud-Pro, and FedRAMP environments, and Cisco said attackers have already used it in limited incidents to push unauthorized configuration changes to SD-WAN edge devices. Cisco said the flaw stems from insufficient validation and sanitization of user-supplied input in the CLI processing path, and warned that attackers may obtain the required privileges with valid credentials or by chaining previously disclosed bugs such as **CVE-2026-20182** or **CVE-2026-20127**. No dedicated patch or workaround was available at disclosure, so Cisco urged customers to upgrade to software versions that fix earlier exploited issues, review indicators of compromise such as suspicious entries in `/var/log/scripts.log`, preserve forensic evidence, collect diagnostics with the command: ```bash request admin-tech ``` and contact Cisco TAC if compromise is suspected.
Jun 15, 2026