Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
CISA ordered U.S. federal civilian agencies to urgently remediate a critical Cisco Catalyst SD-WAN Manager compromise tied to CVE-2026-20127, a CVSS 10.0 authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by CISA and Cisco Talos, which attributed exploitation to UAT-8616 and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach NETCONF and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments.
Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of CVE-2026-20127 together with CVE-2022-20775, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around CVE-2026-20127 has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that CVE-2026-20133 may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Final federal status report on Cisco SD-WAN response is due
A final status report on agency remediation and response actions for the Cisco SD-WAN incident is due to the Secretary of Homeland Security on May 1, 2026. This marks the last deadline referenced in the emergency response timeline.
Federal agencies must submit Cisco SD-WAN traffic logs to CISA
CISA required agencies to submit internal traffic logs and related remediation status for affected Cisco SD-WAN environments by March 23, 2026. The deadline was intended to support government-wide threat hunting and scope determination.
VulnCheck warns CVE-2026-20133 poses deeper compromise risk
On March 12, 2026, VulnCheck reported that community focus on CVE-2026-20127 had obscured the risk from CVE-2026-20133. The researchers said the flaw could expose sensitive files and secrets, facilitate NETCONF compromise, and support privilege escalation and broader SD-WAN compromise paths.
Cisco Talos and partners detail long-running UAT-8616 exploitation
By mid-March 2026, Cisco Talos reported that threat actor UAT-8616 had exploited CVE-2026-20127 and CVE-2022-20775 in the wild, with activity traced back to 2023. The Australian Signals Directorate, with Five Eyes partners, also published a hunting and tradecraft report on the campaign.
CISA issues second directive requiring hardening and rebuilds
On March 11, 2026, CISA followed up with a second emergency directive mandating additional hardening steps, key replacement, and full system rebuilds where root access may have been obtained. Agencies were also told to collect forensic artifacts, enable external log storage, and investigate for compromise.
Rapid7 publishes working exploit for CVE-2026-20127
A Rapid7 researcher released a working public exploit for CVE-2026-20127 on March 11, 2026. Researchers warned that the availability of a valid PoC could increase real-world exploitation attempts.
Cisco updates advisory to mark more SD-WAN flaws as exploited
After its initial February disclosures, Cisco updated its aggregate SD-WAN advisory to state that CVE-2026-20122 and CVE-2026-20128 were also being actively exploited. This expanded the set of known in-the-wild SD-WAN vulnerabilities beyond CVE-2026-20127.
Misattributed public PoC for CVE-2026-20127 is released
On March 3, 2026, a public exploit labeled as a PoC for CVE-2026-20127 was released by zerozenxlabs. VulnCheck later determined it did not exploit CVE-2026-20127, but instead chained CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to obtain credentials and upload a webshell.
Federal agencies face initial Cisco SD-WAN patch deadline
CISA's first directive required U.S. federal agencies to complete initial software updates for affected Cisco SD-WAN systems by February 27, 2026. This marked the first mandatory remediation deadline in the government's response.
CISA issues first emergency directive for Cisco SD-WAN flaw
On February 25, 2026, CISA issued an emergency directive after discovering exploitation of Cisco Catalyst SD-WAN vulnerabilities in federal networks. The directive required agencies to begin urgent remediation of affected systems.
Cisco discloses six Catalyst SD-WAN Manager vulnerabilities
Cisco disclosed six vulnerabilities affecting Catalyst SD-WAN Manager on February 25, 2026, including the critical authentication bypass flaw CVE-2026-20127. The disclosures also covered additional SD-WAN Manager issues later tracked in Cisco's aggregate advisory.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
CISA alerts exploitation of Cisco Catalyst SD-WAN vulnerability | brief | SC Media
scworld.com
Open sourceUS Agencies Face CISA Deadline Over Critical Cisco SD-WAN Flaw
hackread.com
Open sourceFake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos
darkreading.com
Open sourceHerding Cats: Recent Cisco SD-WAN Manager Vulnerabilities | Blog | VulnCheck
vulncheck.com
Open sourceED 26-03 orders federal agencies to secure Cisco Catalyst SD-WAN systems amid active cyber exploitation - Industrial Cyber
industrialcyber.co
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco SD-WAN Authentication Bypass Exploited for Admin Access and Persistence
Cisco disclosed and patched **CVE-2026-20182**, a critical `CVSS 10.0` authentication bypass flaw in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager** that has been exploited in the wild. The bug affects the `vdaemon` control-plane service over **DTLS/UDP 12346** and allows an unauthenticated attacker to impersonate a trusted peer, gain high-privilege administrative access, reach **NETCONF** on `TCP/830`, and manipulate SD-WAN fabric configuration. Rapid7 said the flaw stems from missing authentication checks when a peer claims to be a vHub device, enabling attackers to inject SSH keys for the `vmanage-admin` account and establish persistent access; Cisco said there are **no workarounds** and released fixed software versions for affected on-premises, cloud, managed-cloud, and FedRAMP deployments. Cisco Talos attributed the most sophisticated exploitation of `CVE-2026-20182` with high confidence to **UAT-8616**, which was observed adding SSH keys, modifying NETCONF settings, and escalating privileges to root, with infrastructure overlap noted with Operational Relay Box networks. Talos also reported broader ongoing attacks against SD-WAN environments, including widespread exploitation of previously disclosed **CVE-2026-20133**, **CVE-2026-20128**, and **CVE-2026-20122** after public proof-of-concept release, leading to deployment of JSP webshells such as **XenShell**, **Godzilla**, and **Behinder**, along with tools including Sliver, AdaptixC2, XMRig, gsocket, and credential-stealing scripts. **CISA added CVE-2026-20182 to the KEV catalog** and ordered federal agencies to remediate quickly, while Cisco and national cyber agencies urged organizations to preserve forensic evidence, review logs for unauthorized peering and `vmanage-admin` public-key logins, and patch all vulnerable control components immediately.
Jun 8, 2026
Cisco SD-WAN Zero-Day Exploited to Add Rogue Peers and Gain Persistent Root Access
Cisco and multiple government cyber agencies warned that attackers are actively exploiting **CVE-2026-20127**, a critical `CVSS 10.0` authentication bypass in **Cisco Catalyst SD-WAN Controller** and **Catalyst SD-WAN Manager**. The flaw affects the peering authentication process and lets unauthenticated remote attackers gain administrative access, use `NETCONF`, and alter SD-WAN fabric configuration, including adding **malicious rogue peers**. Cisco Talos attributed the activity to a sophisticated cluster tracked as **UAT-8616**, with evidence suggesting exploitation dates back to at least 2023 and has affected high-value targets, including critical infrastructure and government networks. Investigators said the intrusions often continued with a downgrade of the appliance software to exploit **CVE-2022-20775** for **root** privilege escalation, after which the original version was restored to help conceal the compromise while maintaining persistence. In response, **CISA** added both CVEs to the **Known Exploited Vulnerabilities** catalog and issued **Emergency Directive 26-03** for U.S. federal civilian agencies, while the **UK NCSC**, **ACSC**, **Canadian Centre for Cyber Security**, and other partners released joint hunting and hardening guidance. Cisco said there are **no complete workarounds**, urged immediate upgrades to fixed releases, and advised defenders to review peering events, SSH key activity, version history, and logs for signs of tampering or unauthorized access.
Apr 21, 2026
Active Exploitation of Cisco SD-WAN Vulnerabilities Beyond CVE-2026-20127
Researchers warned that defenders may be underestimating the risk from **Cisco SD-WAN** flaws beyond the widely publicized zero-day `CVE-2026-20127`, particularly **`CVE-2026-20133`**, a high-severity issue tied to inadequate file system access restrictions. VulnCheck reported that public attention and detection efforts have focused too narrowly on `CVE-2026-20127`, even though proof-of-concept activity attributed to that bug appears to affect other vulnerabilities, including `CVE-2026-20133`, `CVE-2026-20128`, and `CVE-2026-20122`. Defused researchers said their telemetry supports that assessment, indicating that `CVE-2026-20127` is generating heavy automated noise while activity involving `CVE-2026-20133`, if present, is likely quieter and easier to miss. Broader reporting indicates the SD-WAN issue is part of a larger pattern of **active exploitation across Cisco edge infrastructure**, with multiple recently disclosed SD-WAN and firewall vulnerabilities already exploited in the wild. CyberScoop reported that five of nine Cisco flaws disclosed across firewalls and SD-WAN systems in recent weeks have seen exploitation, including two SD-WAN zero-days abused for years before discovery and three additional SD-WAN defects later confirmed under attack. The reporting also noted exploitation of a maximum-severity Cisco firewall management flaw by **Interlock ransomware**, underscoring that attackers are targeting management-plane and control-plane weaknesses in network-edge products that often serve as enterprise trust anchors.
Apr 22, 2026