The UK’s National Cyber Security Centre (NCSC) and its partner agencies in the Anglophone Five Eyes intelligence-sharing group have warned users of Cisco Catalyst Software Defined Wide Area Networks (SD-WAN) to take immediate action after identifying a cluster of threat activity targeting the widely used products.
The activity appears indiscriminate in its targeting, but the modus operandi is largely the same – following compromise, the as-yet-unnamed threat actors add a malicious rogue peer before conducting follow-on actions to achieve root access and maintain persistent access to the victim’s network.
“Our new alert makes clear that organisations using Cisco Catalyst SD-WAN products should urgently investigate their exposure to network compromise and hunt for malicious activity, making use of the new threat hunting advice produced with our international partners to identify evidence of compromise,” said NCSC chief technology officer (CTO) Ollie Whitehouse.
“UK organisations are strongly advised to report compromises to the NCSC, and to apply vendor updates and hardening guidance as soon as practicable to reduce the risk of exploitation,” he added.
The NCSC said the activity itself appeared to date back to 2023, and a series of vulnerabilities in Catalyst SD-WAN Manager and Catalyst SD-WAN Controller have now been patched by Cisco.
Chief among these issues, and of most concern to Cisco, is CVE-2026-20127, an authentication bypass vulnerability in Catalyst SD-WAN.
In an advisory, Cisco said the vulnerability arose due to a failure of the peering authentication mechanism on an affected system.
“An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric,” the supplier said.
“Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.”
Organisations with management interfaces exposed to the public internet appear to be at greatest risk of compromise – exposing management interfaces to the internet is extremely ill-advised.
Besides performing threat hunting for evidence of compromise as detailed in a newly-published Hunt Guide – available here – security teams should immediately update to the appropriate fixed latest versions of Catalyst SD-WAN Manager and Controller, and apply the Cisco Catalyst SD-WAN Hardening Guide now available from Cisco.
UK-based organisations that discover they may have been compromised are advised to immediately collect artefacts from the relevant device and report it to the NCSC.
In the US, the Cybersecurity and Infrastructure Security Agency (Cisa) has issued a parallel emergency directive instructing government organisations to take action by 23:59 EST (04:59 GMT) on Thursday 26 February, and to have fully applied the patches by 17:00 EST on Friday.
Threat actor targets CNI operators
Meanwhile, Cisco’s threat intel unit Talos has been tracking active exploitation of CVE-2026-20127, and has assigned the cluster the designation UAT-8616.
Talos said it was confident that UAT-8616 is a “highly sophisticated cyber threat actor” given the historical extent of its activity dating back to 2023, and additional investigation, which found that its hackers likely escalated to root user by downgrading the software version then exploiting another flaw – CVE-2022-20775 – in the Catalyst software command line interface (CLI) before restoring back to the original.
Talos said UAT-8616 demonstrated an ongoing trend of targeting network edge devices in order to establish beachheads at high-value organisations, such as operators of critical national infrastructure (CNI).
While it stopped short of attributing the activity outright, the targeting of utilities and similar organisations could indicate UAT-8616 is backed by a nation-state.
