A “highly sophisticated” cyber threat actor has been exploiting a zero-day authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controller (formerly vSmart), Cisco has announced today.
The vulnerability was reported by Australian Signals Directorate’s Australian Cyber Security Centre, who said that once the vulnerability was exploited, “the malicious actors add[ed] a rogue peer, and eventually gain[ed] root access to establish long-term persistence in SD-WANs.”
“This vulnerability exists because the peering authentication mechanism in an affected system is not working properly,” Cisco explained in the accompanying security advisory.
“An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”
In a separate blog post, Cisco’s Talos threat intelligence team tied this exploitation and post-compromise activity to a group they named “UAT-8616”.
“After the discovery of active exploitation of the 0-day in the wild, we were able to find evidence that the malicious activity went back at least three years (2023). Investigation conducted by intelligence partners identified that the actor likely escalated to root user via a software version downgrade. The actor then reportedly exploited CVE-2022-20775 before restoring back to the original software version, effectively allowing them to gain root access,” the team said.
“UAT-8616’s attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high value organizations including Critical Infrastructure (CI) sectors.”
Investigation and remediation advice
The team has advised customers to check for indicators of CVE-2026-20127 exploitation and for unauthorized peer connections, and they have shared investigative guidance.
Simultaneously, the Australian Cyber Security Centre published mitigation advice and a threat hunt guide.
The US Cybersecurity and Infrastructure Security Agency has also issued an emergency directive “in response to a significant cyber threat targeting federal networks utilizing certain Cisco systems and software.”
The directive orders US federal civilian agencies to, “without delay”:
- Inventory all Cisco SD-WAN systems in use
- Collect virtual snapshots and logs of those systems, and patch them
- Hunt for evidence of compromise
- Implement measures outlined in Cisco’s Catalyst SD-WAN Hardening Guide.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
