Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
CISA ordered U.S. federal civilian agencies to urgently remediate a critical Cisco Catalyst SD-WAN Manager compromise tied to CVE-2026-20127, a CVSS 10.0 authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by CISA and Cisco Talos, which attributed exploitation to UAT-8616 and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach NETCONF and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments.
Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of CVE-2026-20127 together with CVE-2022-20775, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around CVE-2026-20127 has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that CVE-2026-20133 may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities
Cisco and U.S./U.K./Five Eyes cyber agencies warned of an ongoing campaign targeting **Cisco Catalyst SD-WAN** deployments, with exploitation confirmed dating back to at least 2023 and attributed by Cisco to a highly sophisticated actor tracked as **UAT-8616**. The activity has been described as posing an “unacceptable” risk to federal networks and broader global environments because compromise of SD-WAN/edge infrastructure can enable deep network access, traffic interception, and operational disruption. Cisco updated its advisories to state that **CVE-2026-20127** (critical auth bypass) has been exploited as a zero-day, enabling attackers to compromise SD-WAN controllers and add **rogue peers** that appear legitimate to facilitate further intrusion. Cisco also flagged additional *Catalyst SD-WAN Manager (vManage)* issues as actively exploited: **CVE-2026-20122** (high-severity arbitrary file overwrite requiring valid read-only/API credentials) and **CVE-2026-20128** (information disclosure requiring local access with valid vManage credentials). Agencies and Cisco urged urgent mitigation including inventorying affected devices, applying fixed releases/patches, retaining and reviewing logs, and hunting for indicators of compromise; CISA also issued **Emergency Directive `26-03`** for federal agencies.
1 weeks ago
Active exploitation of Cisco Catalyst SD-WAN authentication bypass (CVE-2026-20127)
Government and vendor advisories warned of **active, in-the-wild exploitation** of a critical **improper authentication / authentication bypass** vulnerability in **Cisco Catalyst SD-WAN** (tracked as `CVE-2026-20127`) affecting the **Catalyst SD-WAN Controller** (formerly *vSmart*) and related SD-WAN components. The flaw is in the **peering authentication process** and can allow an **unauthenticated remote attacker** to send crafted requests that result in access as an internal, high-privileged (non-root) administrative account, enabling actions such as **NETCONF access** and manipulation of SD-WAN fabric configuration; multiple national CERT/CSIRT bodies (including Canada’s Cyber Centre and France’s CERT-FR) urged immediate patching or migration off end-of-maintenance releases, noting some affected trains will not receive fixes. Cisco Talos attributed observed exploitation and post-compromise activity to a sophisticated actor tracked as **UAT-8616**, with evidence suggesting activity dating back to **2023**. Partner reporting and CISA guidance described a broader intrusion chain in which actors use `CVE-2026-20127` for initial access, then escalate privileges and persistence—reportedly including **software version downgrade** tactics and subsequent exploitation of `CVE-2022-20775`—leading to **root access** and long-term footholds in SD-WAN environments. CISA added both `CVE-2026-20127` and `CVE-2022-20775` to the **Known Exploited Vulnerabilities (KEV)** catalog and, via **Emergency Directive ED 26-03**, required U.S. FCEB agencies to inventory in-scope Cisco SD-WAN systems, collect forensic artifacts (e.g., snapshots/logs), patch, and assess for compromise; international partners echoed similar hunt-and-mitigate actions.
2 weeks ago
Actively Exploited Critical Vulnerabilities in Cisco Secure Firewall and Catalyst SD-WAN Manager
Belgium’s CCB (Safeonweb) warned of **multiple critical vulnerabilities** across several **Cisco** products—specifically calling out **Cisco Secure Firewall** (including *Adaptive Security Appliance (ASA)*, *Firepower Management Center (FMC)*, and *Firepower Threat Defense (FTD)*) and **Cisco Catalyst SD-WAN Manager**—and stated that **some vulnerabilities are being actively exploited**, urging immediate patching. The advisory lists a broad set of weakness classes including **authentication bypass** (`CWE-288`/`CWE-287`), **deserialization of untrusted data** (`CWE-502`), **buffer overflow** (`CWE-120`), **SQL injection** (`CWE-89`), and **sensitive information exposure** (`CWE-200`), and highlights multiple CVEs including **CVE-2026-20079** and **CVE-2026-20131** with **CVSS 10.0**. A separate advisory from the Center for Internet Security (CIS) also reported **multiple vulnerabilities in Cisco products** that could enable **remote code execution**, enumerating a large set of related CVEs (including **CVE-2026-20001**, **CVE-2026-20002**, **CVE-2026-20003**, and **CVE-2026-20039**). Taken together, the advisories indicate a high-risk patching priority for organizations running affected Cisco network/security management and firewall platforms, particularly where internet exposure or untrusted management-plane access could make exploitation more likely.
1 weeks ago