INTRODUCTION
Cisco Talos revealed active exploitation of CVE-2026-20127, a maximum-severity authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, by the sophisticated threat actor UAT-8616. Exploitation dates back to 2023, enabling root access and long-term persistence in network edge devices, primarily targeting critical infrastructure.
UAT-8616 began exploiting CVE-2026-20127 (CVSS 10.0) in Cisco SD-WAN systems as early as 2023, with public disclosure on February 25, 2026, via Cisco's advisory. The Australian Cyber Security Centre (ACSC) reported the flaw, noting rogue peer creation in the management plane. Cisco Talos tracks this as ongoing activity by a highly sophisticated actor active for at least three years.
The vulnerability stems from a malfunctioning peering authentication mechanism, allowing unauthenticated attackers to send crafted requests and gain high-privileged, non-root access. Attackers then downgrade software via the built-in update mechanism to exploit CVE-2022-20775 (CVSS 7.8), a CLI privilege escalation flaw, achieving root privileges before restoring the original version. Post-exploitation includes creating mimic user accounts, adding SSH keys for root, modifying startup scripts, using NETCONF over port 830, and clearing logs in /var/log, command history, and connections.
Impacts all Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage) deployments: on-premises, Cisco-hosted cloud, Cisco-managed cloud, and FedRAMP environments, regardless of configuration. No workarounds exist; patching is required per Cisco advisory cisco-sa-sdwan-rpa-EHchtZk.
UAT-8616 targets network edge devices in critical infrastructure for persistent footholds, showing high technical proficiency. Cisco assesses it with high confidence as sophisticated, focusing on infrastructure over data theft.
Apply Cisco patches immediately; CISA added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities catalog, mandating fixes for Federal Civilian Executive Branch agencies within 24 hours. Talos provides threat hunting guidance for compromised devices, including log analysis and anomaly detection.
SD-WAN edge devices are increasingly targeted for their role in network management planes, enabling lateral movement and disruptions. UAT-8616's tactics align with trends in zero-day exploitation of networking gear, building on prior unpatched flaws like CVE-2022-20775 for chained attacks. ACSC and CISA alerts highlight risks to federal and critical infrastructure networks.
Key Vulnerabilities
|
CVE ID |
Description |
CVSS Score |
Exploitation Role |
|
CVE-2026-20127 |
Authentication bypass in SD-WAN |
10.0 |
Initial access via rogue peer |
|
CVE-2022-20775 |
CLI privilege escalation |
7.8 |
Root escalation post-downgrade |
Affected Deployment Types
|
Deployment Type |
Impacted |
|
On-Premises |
Yes |
|
Cisco Hosted SD-WAN Cloud |
Yes |
|
Cisco Managed Cloud |
Yes |
|
FedRAMP Environment |
Yes |
SUPPORTING DOCUMENTATION