Active Exploitation of Cisco SD-WAN Vulnerabilities Beyond CVE-2026-20127
Researchers warned that defenders may be underestimating the risk from Cisco SD-WAN flaws beyond the widely publicized zero-day CVE-2026-20127, particularly CVE-2026-20133, a high-severity issue tied to inadequate file system access restrictions. VulnCheck reported that public attention and detection efforts have focused too narrowly on CVE-2026-20127, even though proof-of-concept activity attributed to that bug appears to affect other vulnerabilities, including CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. Defused researchers said their telemetry supports that assessment, indicating that CVE-2026-20127 is generating heavy automated noise while activity involving CVE-2026-20133, if present, is likely quieter and easier to miss.
Broader reporting indicates the SD-WAN issue is part of a larger pattern of active exploitation across Cisco edge infrastructure, with multiple recently disclosed SD-WAN and firewall vulnerabilities already exploited in the wild. CyberScoop reported that five of nine Cisco flaws disclosed across firewalls and SD-WAN systems in recent weeks have seen exploitation, including two SD-WAN zero-days abused for years before discovery and three additional SD-WAN defects later confirmed under attack. The reporting also noted exploitation of a maximum-severity Cisco firewall management flaw by Interlock ransomware, underscoring that attackers are targeting management-plane and control-plane weaknesses in network-edge products that often serve as enterprise trust anchors.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
CISA adds Cisco SD-WAN flaw CVE-2026-20133 to KEV catalog
CISA added Cisco Catalyst SD-WAN Manager vulnerability CVE-2026-20133 to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. The agency ordered Federal Civilian Executive Branch agencies to secure affected systems by 2026-04-24 and follow Emergency Directive 26-03 and Cisco hardening guidance.
CISA adds CVE-2026-20128 and CVE-2026-20122 to KEV catalog
CISA added Cisco Catalyst SD-WAN Manager flaws CVE-2026-20128 and CVE-2026-20122 to its Known Exploited Vulnerabilities catalog after Cisco confirmed active exploitation. Federal agencies were given a remediation deadline in late April 2026, expanding U.S. government response beyond CVE-2026-20133 alone.
Researchers warn CVE-2026-20133 may be the more urgent SD-WAN threat
VulnCheck assessed that the high-severity Cisco Catalyst SD-WAN flaw CVE-2026-20133 may pose a greater immediate risk than the more publicized zero-day CVE-2026-20127. Defused researchers also said vulnerable SD-WAN devices were being targeted through multiple avenues and that CVE-2026-20133 exploitation may be quieter and easier to miss.
Researchers identify misattributed PoC affecting other Cisco flaws
VulnCheck reported that a proof-of-concept published by ZeroZenX Labs for CVE-2026-20127 did not actually target that zero-day, but instead affected CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. The finding suggested defenders may be misjudging which SD-WAN vulnerabilities are most urgent.
Cisco discloses multiple SD-WAN and firewall vulnerabilities
Cisco recently disclosed nine vulnerabilities affecting SD-WAN and firewall management products, with five later confirmed as exploited in the wild. The disclosures included the zero-day CVE-2026-20127 and other SD-WAN flaws such as CVE-2026-20133.
Cisco patches three Catalyst SD-WAN Manager flaws
Cisco released fixes in late February 2026 for CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 affecting Catalyst SD-WAN Manager. The vulnerabilities were later cited by CISA as actively exploited or included in its Known Exploited Vulnerabilities catalog.
CISA orders federal agencies to assess and patch Cisco SD-WAN Manager
CISA issued an emergency directive requiring federal executive branch agencies to assess and patch Cisco SD-WAN Manager systems after concerns about active exploitation. The directive elevated the urgency of the Cisco SD-WAN vulnerability situation for U.S. government networks.
Attackers begin exploiting Cisco firewall management flaw
Amazon Threat Intelligence said the Interlock ransomware group started exploiting a maximum-severity Cisco firewall management vulnerability before it was publicly disclosed. The exploitation reportedly began on January 26 and targeted firewall management infrastructure.
Cisco SD-WAN zero-days were exploited for years before disclosure
Two Cisco SD-WAN zero-day vulnerabilities were reportedly exploited in the wild for at least three years before Cisco disclosed them. This indicates long-running attacker access to SD-WAN management or control-plane systems prior to public awareness.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Another Cisco Catalyst SD-WAN Manager bug added to CISA list | news | SC Media
scworld.com
Open sourceCISA flags new SD-WAN flaw as actively exploited in attacks
bleepingcomputer.com
Open sourceMore Cisco SD-WAN bugs battered in attacks • The Register
go.theregister.com
Open sourceVulnCheck: Threat of high-severity Cisco SD-WAN bug potentially missed | brief | SC Media
scworld.com
Open sourceCisco’s latest vulnerability spree has a more troubling pattern underneath | CyberScoop
cyberscoop.com
Open sourceSecurity teams might be overlooking wider threat to Cisco SD-WAN | Cybersecurity Dive
cybersecuritydive.com
Open sourceCISA flags 3 exploited Cisco vulnerabilities for patching - SDxCentral
sdxcentral.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
Mar 21, 2026
Cisco SD-WAN Zero-Day Exploited to Add Rogue Peers and Gain Persistent Root Access
Cisco and multiple government cyber agencies warned that attackers are actively exploiting **CVE-2026-20127**, a critical `CVSS 10.0` authentication bypass in **Cisco Catalyst SD-WAN Controller** and **Catalyst SD-WAN Manager**. The flaw affects the peering authentication process and lets unauthenticated remote attackers gain administrative access, use `NETCONF`, and alter SD-WAN fabric configuration, including adding **malicious rogue peers**. Cisco Talos attributed the activity to a sophisticated cluster tracked as **UAT-8616**, with evidence suggesting exploitation dates back to at least 2023 and has affected high-value targets, including critical infrastructure and government networks. Investigators said the intrusions often continued with a downgrade of the appliance software to exploit **CVE-2022-20775** for **root** privilege escalation, after which the original version was restored to help conceal the compromise while maintaining persistence. In response, **CISA** added both CVEs to the **Known Exploited Vulnerabilities** catalog and issued **Emergency Directive 26-03** for U.S. federal civilian agencies, while the **UK NCSC**, **ACSC**, **Canadian Centre for Cyber Security**, and other partners released joint hunting and hardening guidance. Cisco said there are **no complete workarounds**, urged immediate upgrades to fixed releases, and advised defenders to review peering events, SSH key activity, version history, and logs for signs of tampering or unauthorized access.
Apr 21, 2026
Cisco Catalyst SD-WAN Flaws Exploited for Admin Access and Webshell Deployment
Cisco and external researchers disclosed multiple **Cisco Catalyst SD-WAN** vulnerabilities, including **`CVE-2026-20182`**, a critical authentication bypass affecting **SD-WAN Controller** and **SD-WAN Manager** that has been exploited in the wild. According to Cisco Talos and Rapid7, the flaw affects the `vdaemon` service over **DTLS/UDP 12346** and allows an unauthenticated remote attacker to impersonate a trusted control-plane peer, gain administrative access, and add an attacker-controlled SSH key for persistent access through the **NETCONF** service on **TCP 830**. Cisco assigned the issue a **CVSS 10.0** rating, released fixed software, and said no workaround is available. Talos attributed exploitation of `CVE-2026-20182` to a sophisticated cluster tracked as **UAT-8616**, which conducted post-compromise activity including adding SSH keys, altering NETCONF configurations, and escalating privileges to root, with infrastructure overlapping **Operational Relay Box** networks. Talos also reported broad exploitation from March to April 2026 of previously disclosed **SD-WAN Manager** flaws **`CVE-2026-20133`**, **`CVE-2026-20128`**, and **`CVE-2026-20122`**, often chained after public proof-of-concept release, to deploy **XenShell**, **Godzilla**, and **Behinder** JSP webshells along with tools such as **Sliver**, **AdaptixC2**, **XMRig**, `gsocket`, **KScan/QScan**, a Nim-based implant, and credential-stealing scripts. Cisco published separate advisories for the controller authentication bypass and the SD-WAN Manager vulnerabilities, while Talos urged customers to patch immediately and review available Snort, ClamAV, and IOC guidance.
May 26, 2026