Cisco has released urgent updates to patch a critical zero-day vulnerability in its Catalyst SD-WAN products.
A highly sophisticated threat actor, known as UAT-8616, is actively exploiting this flaw in the wild to gain deep access to enterprise network edges.
Vulnerability Overview
| Vulnerability Details | Information |
|---|---|
| Vulnerability | Cisco Catalyst SD-WAN Controller Authentication Bypass |
| Severity | Critical |
| CVSS Score | Base 10.0 |
| CVE ID | CVE-2026-20127 |
| Advisory ID | cisco-sa-sdwan-rpa-EHchtZk |
| Affected Products | Cisco Catalyst SD-WAN Controller & Manager |
| Workarounds | None available |
The vulnerability, tracked as CVE-2026-20127, exists due to a flaw in the peering authentication mechanism.
An unauthenticated, remote attacker can exploit this weakness by sending specially crafted requests to a vulnerable system.
If successful, the attacker bypasses security and logs in as an internal, high-privileged user. This allows them to manipulate the entire network fabric configuration through NETCONF access.
Cisco Talos researchers attribute these active attacks to UAT-8616, a highly sophisticated cyber threat actor whose activities date back to at least 2023.
These attackers specifically target network edge devices to establish persistent footholds within critical infrastructure organizations.
Once UAT-8616 gains initial administrative access via the zero-day flaw, they use a multi-step technique to take full control.
First, the attackers intentionally downgrade the device’s software to an older, vulnerable version.
Next, they exploit a secondary vulnerability, CVE-2022-20775, which allows local attackers to elevate privileges to the root level.
Finally, they upgrade the system back to the original software version to hide their tracks and maintain stealthy root access.
Indicators of Compromise
Security teams must actively hunt for signs of this intrusion. The most critical step is manually validating all control connection peering events in the SD-WAN logs.
When reviewing these events, defenders should verify timestamps against known maintenance schedules and confirm that public IP addresses belong to authorized infrastructure.
Key indicators of compromise include:
- Log entries in
auth.logshowing “Accepted publickey for vmanage-admin” from unknown IP addresses. - Unauthorized SSH keys placed in the
/home/root/.ssh/authorized_keysdirectory. - Abnormally small log files, measuring 0, 1, or 2 bytes, which strongly indicate log tampering.
- Missing or cleared history files, such as
bash_historyorcli-history. - System logs displaying unapproved software version downgrades accompanied by sudden reboots.
There are no temporary workarounds for this critical vulnerability. Cisco strongly urges all organizations using on-premise or cloud-hosted Catalyst SD-WAN systems to update their software immediately.
Administrators should audit their device logs for unusual peering events. If a compromise is suspected, security teams should generate an admin-tech file from the affected controllers and open a critical case with the Cisco Technical Assistance Center.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
