Attackers are exploiting a serious vulnerability in Cisco Catalyst software defined wide area network (SD-WAN) devices that enable them to bypass authentication.
On top of bypassing authentication, attackers can eventually gain root superuser administrative privileges, so as to establish long-term persistence, ASD’s Australian Cyber Security Centre (ACSC) said in an advisory.
The joint alert was issued collectively by Five-Eyes cyber security authorities.
The alert includes a Cisco SD-WAN Threat Hunting Guide [pdf] written by the Five-Eyes intelligence and security agencies, providing a description of the threat and indicators of compromise (IOCs).
In the guide, the agencies said they are aware that since 2023, a malicious cyber actor has compromised Cisco SD-WANs “via a previously unknown vulnerability”.
That vulnerability, indexed as CVE-2026-20127, was identified as a zero-day exploit in 2025, the security agencies said.
It allows a threat actor to create a rogue peer joined to the network management control plane of an organisation’s WAN.
“The rogue device appears as a new but temporary, actor-controlled SD-WAN component that can conduct trusted actions within the management and control plane,” the advisory stated.
Through a multi-step attack chain, the attacker is able to escalate account privileges to those of the root superuser, which provides full administrative control of the Catalyst SD-WAN device.
Cisco has issued patches for the vulnerability, which is rated as 10 out of 10, the most serious ranking on the common vulnerability scoring system (CVSS).Â
No workarounds exist for the vulnerability, Cisco said, but customers can mitigate the vulnerability by restricting access for traffic to ports 22 and 930 to only known controller and other trusted internet protocol addresses.
