A newly disclosed maximum-severity safety flaw in Cisco Catalyst SD-WAN Controller (previously vSmart) and Catalyst SD-WAN Supervisor (previously vManage) has come below energetic exploitation within the wild as a part of malicious exercise that dates again to 2023.
The vulnerability, tracked as CVE-2026-20127 (CVSS rating: 10.0), permits an unauthenticated distant attacker to bypass authentication and acquire administrative privileges on the affected system by sending a crafted request to an affected system.
Profitable exploitation of the flaw may permit the adversary to acquire elevated privileges on the system as an inner, high-privileged, non-root consumer account.
“This vulnerability exists as a result of the peering authentication mechanism in an affected system isn’t working correctly,” Cisco stated in an advisory, including the risk actor may leverage the non-root consumer account to entry NETCONF and manipulate community configuration for the SD-WAN material.
The shortcoming impacts the next deployment varieties, no matter the gadget configuration –
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud – Cisco Managed
- Cisco Hosted SD-WAN Cloud – FedRAMP Atmosphere
Cisco credited the Australian Indicators Directorate’s Australian Cyber Safety Centre (ASD-ACSC) for reporting the vulnerability. The networking gear main is monitoring the exploitation and subsequent post-compromise exercise below the moniker UAT-8616, describing the cluster as a “extremely refined cyber risk actor.”
The vulnerability has been addressed within the following variations of Cisco Catalyst SD-WAN –
- Previous to model 20.91 – Migrate to a set launch.
- Model 20.9 – 20.9.8.2 (Estimated launch February 27, 2026)
- Model 20.111 – 20.12.6.1
- Model 20.12.5 – 20.12.5.3
- Model 20.12.6 – 20.12.6.1
- Model 20.131 – 20.15.4.2
- Model 20.141 – 20.15.4.2
- Model 20.15 – 20.15.4.2
- Model 20.161 – 20.18.2.1
- Model 20.18 – 20.18.2.1
“Cisco Catalyst SD-WAN Controller techniques which might be uncovered to the web and which have ports uncovered to the web are prone to publicity to compromise,” Cisco warned.
The corporate has additionally advisable prospects to audit the “/var/log/auth.log” file for entries associated to “Accepted publickey for vmanage-admin” from unknown or unauthorized IP addresses. It is also suggested to verify the IP addresses within the auth.log log file towards the configured System IPs which might be listed within the Cisco Catalyst SD-WAN Supervisor net UI (WebUI > Gadgets > System IP).
In accordance with data launched by the ASD-ACSC, UAT-8616 is claimed to have compromised Cisco SD-WANs since 2023 by way of the zero-day exploit, permitting it to achieve elevated entry.
“The vulnerability allowed a malicious cyber actor to create a rogue peer joined to the community administration airplane, or management airplane, of a company’s SD-WAN,” ASD-ACSC stated. “The rogue gadget seems as a brand new however momentary, actor-controlled SD-WAN element that may conduct trusted actions inside the administration and management airplane.”
After efficiently compromising a public-facing software, the attackers have been discovered to leverage the built-in replace mechanism to stage a software program model downgrade and escalate to the foundation consumer by exploiting CVE-2022-20775 (CVSS rating: 7.8), a high-severity privilege escalation bug within the CLI of Cisco SD-WAN Software program, after which restoring the software program again to the model it was initially operating.
A few of the subsequent steps initiated by the risk actor are as follows –
- Created native consumer accounts that mimicked different native consumer accounts.
- Added a Safe Shell Protocol (SSH) approved key for root entry and modified SD-WAN-related start-up scripts to customise the setting.
- Used Community Configuration Protocol on port 830 (NETCONF) and SSH to hook up with/between Cisco SD-WAN home equipment inside the administration airplane.
- Took steps to clear proof of the intrusion by purging logs below “/var/log,” command historical past, and community connection historical past.
“UAT-8616’s tried exploitation signifies a seamless development of the concentrating on of community edge units by cyber risk actors seeking to set up persistent footholds into high-value organizations, together with Essential Infrastructure (CI) sectors,” Talos stated.
The event has prompted the Cybersecurity and Infrastructure Safety Company (CISA) to add each CVE-2022-20775 and CVE-2026-20127 to its Identified Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Govt Department (FCEB) companies to use the fixes inside the subsequent 24 hours.
To verify for model downgrade and sudden reboot occasions, CISA recommends analyzing the next logs –
- /var/unstable/log/vdebug
- /var/log/tmplog/vdebug
- /var/unstable/log/sw_script_synccdb.log
CISA has additionally issued a brand new emergency directive, 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Techniques, as a part of which federal companies are required to stock SD-WAN units, apply updates, and assess potential compromise.
To that finish, companies have been ordered to offer a catalog of all in-scope SD-WAN techniques on their networks by February 26, 2026, 11:59 p.m. ET. Moreover, they’re required to submit an in depth stock of all in-scope merchandise and actions taken by March 5, 2026, 11:59 p.m. ET. Lastly, the companies should submit the checklist of all steps taken to harden their environments by March 26, 2026, 11:59 p.m. ET.
