Cisco and the NSA are warning enterprises about active exploitation of a previously undisclosed vulnerability in Cisco’s Catalyst SD-WAN Controller that has been ongoing since at least 2023. 

The attacks that NSA and Cisco Talos researchers have observed exploit the vulnerability (CVE-2026-20127) and then gain root user privileges through a separate exploit. Talos researchers pinned the attacks on a threat actor they name UAT-8616, which classifies the actor as an unattributed or unknown cluster. 

“After the discovery of active exploitation of the 0-day in the wild, we were able to find evidence that the malicious activity went back at least three years (2023),” the Talos analysis says. 

“Investigation conducted by intelligence partners identified that the actor likely escalated to root user via a software version downgrade. The actor then reportedly exploited CVE-2022-20775 before restoring back to the original software version, effectively allowing them to gain root access.”

Cisco released software updates on Feb. 25 to fix the vulnerability, which affects both on-premises and cloud deployments of the Catalyst SD-WAN Controller. 

“This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric,” the Cisco advisory says.

Neither Talos or NSA specified what types of organizations have been targeted with these attacks, or in what geographic locations, but cybersecurity agencies from Australia, Canada, New Zealand, and the UK all collaborated on the advisory with NSA. 

“For over a year, malicious actors exploited vulnerabilities in Cisco SD-WANs. Most notably, by leveraging a previously unknown (zero-day) vulnerability, CVE-2026-20127, these actors introduced a malicious rogue peer, gained authenticated access, and established persistent, long-term presence within the compromised SD-WAN networks,” the NSA advisory says. 

Needless to say, this bug should be a high priority for affected organizations, especially given the extra attention from NSA and foreign intelligence and cyber security services. 

  • Recent Posts

  • Recent Comments

    No comments to show.