A Critical Cisco SD-WAN Vulnerability Has Been Exploited for Years – Here’s What You Need to Know
In a startling revelation, a newly disclosed, maximum-severity security flaw in Cisco’s Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has been actively exploited since 2023. But here’s where it gets even more alarming: this zero-day vulnerability, tracked as CVE-2026-20127 with a CVSS score of 10.0, allows unauthenticated remote attackers to bypass security measures and gain administrative access to affected systems simply by sending a crafted request. This isn’t just a theoretical risk—it’s a real-world threat that has already been leveraged by sophisticated cyber actors.
How Does This Vulnerability Work?
The flaw stems from a malfunctioning peering authentication mechanism in the affected systems. Once exploited, attackers can elevate their privileges to that of a high-privileged, non-root user account. Cisco explains that this account can then be used to access NETCONF and manipulate the network configuration of the SD-WAN fabric. And this is the part most people miss: the vulnerability impacts a wide range of deployment types, including on-premises setups, Cisco Hosted SD-WAN Cloud, and even FedRAMP environments, regardless of device configuration.
Who’s Behind the Attacks?
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) first reported the vulnerability, and Cisco is tracking the exploitation under the moniker UAT-8616. This threat actor is described as highly sophisticated, with a focus on establishing persistent access to high-value organizations, including critical infrastructure sectors. According to ASD-ACSC, the attackers create rogue devices that appear as temporary, trusted components within the SD-WAN’s management and control plane, enabling them to execute malicious actions undetected.
The Exploitation Chain: A Deep Dive
After gaining initial access, the attackers don’t stop there. They leverage the system’s built-in update mechanism to downgrade the software version, exploit another high-severity vulnerability (CVE-2022-20775), and escalate privileges to the root user. From there, they take steps to cover their tracks, such as purging logs, modifying startup scripts, and creating fake user accounts. This multi-stage attack highlights the attackers’ determination and technical prowess.
What’s Being Done to Mitigate the Risk?
Cisco has released patches for multiple versions of the Catalyst SD-WAN software, urging customers to migrate to fixed releases immediately. The Cybersecurity and Infrastructure Security Agency (CISA) has also taken swift action, adding both CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are mandated to apply fixes within 24 hours and conduct thorough inventories of their SD-WAN devices. CISA further recommends analyzing specific logs to detect version downgrades and unexpected reboots.
Controversial Question: Are We Doing Enough to Protect Critical Infrastructure?
While Cisco and CISA’s responses are commendable, this incident raises a broader question: Are our current cybersecurity measures sufficient to protect critical infrastructure from increasingly sophisticated threats? The fact that this vulnerability went unnoticed for years suggests gaps in our detection and response capabilities. What do you think? Are we doing enough, or is it time for a fundamental rethink of our approach to network security?
What Should You Do Next?
If you’re using Cisco Catalyst SD-WAN, prioritize updating your systems to the latest patched versions. Audit your logs for suspicious activity, particularly entries related to unauthorized access. Stay informed by following trusted cybersecurity sources, and don’t hesitate to share your thoughts on this issue in the comments below. The conversation around cybersecurity is more critical than ever—let’s keep it going.
