A critical security flaw in Cisco's SD-WAN technology has been actively exploited since 2023, causing a major stir in the cybersecurity world. This zero-day vulnerability, tracked as CVE-2026-20127, has a maximum severity rating of 10.0 and impacts Cisco's Catalyst SD-WAN Controller and Manager software. The issue lies in a faulty peering authentication mechanism, allowing remote attackers to infiltrate networks and add malicious devices, posing as legitimate peers.
Cisco credits the Australian Cyber Security Centre for reporting this vulnerability. In their advisory, Cisco explains that an attacker can exploit this flaw by sending crafted requests to affected systems, gaining access to the Cisco Catalyst SD-WAN Controller as a high-privileged, non-root user. From there, the attacker can manipulate network configurations, potentially moving deeper into the organization's network infrastructure.
Here's where it gets controversial: Cisco Talos reports that this vulnerability has been actively exploited in attacks, tracking the malicious activity as UAT-8616. They believe a highly sophisticated threat actor is behind these attacks, with intelligence partners stating the actor likely escalated to root access by exploiting another vulnerability, CVE-2022-20775, and then restoring the original firmware version to evade detection.
The exploitation was disclosed in a coordinated effort between Cisco and US and UK authorities, with CISA issuing an emergency directive on February 25, 2026, requiring federal agencies to take immediate action to mitigate the threat. CISA warned that the exploitation poses an imminent threat to federal networks, with a hard deadline for patching by 5:00 PM ET on February 27, 2026.
A joint guide from CISA and the UK's National Cyber Security Centre warns that malicious actors are targeting Cisco Catalyst SD-WAN deployments globally to gain persistent control. They stress the importance of never exposing SD-WAN management interfaces to the internet and urge organizations to update and harden their systems immediately.
Cisco has released software updates to address the vulnerability, but they emphasize that there are no workarounds to fully mitigate the issue. Organizations are urged to carefully review logs for signs of unauthorized peering events and suspicious authentication activity. Indicators of compromise include the creation and deletion of malicious user accounts, unexpected root logins, and changes that enable PermitRootLogin.
Administrators should also look for signs of log tampering, software downgrades, and reboots, which may indicate exploitation of CVE-2022-20775 to gain root privileges. CISA recommends analyzing specific logs to check for this exploitation.
If a root account is compromised, agencies are advised to deploy fresh installs rather than attempting to clean the existing infrastructure. Unexpected peering events or unexplained controller activity should also be treated as potential indicators of compromise and investigated thoroughly.
Both CISA and the UK NCSC recommend implementing robust security measures, such as restricting network exposure, placing SD-WAN control components behind firewalls, and applying Cisco's hardening guidance. Cisco strongly recommends upgrading to a fixed software release as the only way to fully remediate CVE-2026-20127.
This critical vulnerability highlights the importance of staying vigilant and proactive in the face of evolving cybersecurity threats. As the future of IT infrastructure continues to evolve, organizations must adapt and implement robust security practices to protect their networks and sensitive data.
