Cisco has disclosed a critical zero-day vulnerability in its Catalyst SD-WAN products that threat actors have exploited since 2023 to bypass authentication and achieve root access.
Tracked as CVE-2026-20127, the flaw affects core networking components and prompts urgent patching amid active attacks.sec.cloudapps.
CVE-2026-20127 stems from a flaw in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage).
An unauthenticated remote attacker can send crafted requests to bypass checks, logging in as a high-privileged, non-root internal user account.
This access enables NETCONF manipulation, allowing changes to the entire SD-WAN fabric’s network configuration, such as adding rogue peers or altering routing.
The vulnerability carries a CVSS v3.1 base score of 10.0 (Critical), with attack vector Network, low complexity, no privileges required, and no user interaction needed.
It impacts on-premises deployments and Cisco-hosted SD-WAN Cloud environments, including standard, managed, and FedRAMP setups. Cisco released patches on February 25, 2026, but confirmed no workarounds exist.
Exploitation Timeline
Active exploitation dates back to at least 2023, as uncovered by Cisco Talos after discovering in-the-wild zero-day use. Talos tracks the campaign as UAT-8616, linking it to post-compromise persistence in high-value targets like critical infrastructure. Attackers added malicious rogue peers to configurations, enabling long-term network access.
Post-bypass, actors reportedly downgraded software versions to exploit CVE-2022-20775, a path-traversal flaw, for root escalation, then restored the originals to evade detection. This chain highlights sophisticated tactics targeting network edge devices for footholds. Incidents reported by intelligence partners confirm compromise of internet-exposed management/control planes.
Cisco Talos attributes attacks to UAT-8616, assessed as a highly sophisticated actor with high confidence. The group focuses on SD-WAN for persistent access in critical sectors, continuing a trend of edge device targeting. No public IOCs are detailed yet, but hunt guides from partners emphasize checking peer configurations and version histories.
ProductAffected VersionsFixed VersionsSD-WAN Controller (vSmart)20.3.1 – 20.14.3, 20.15.120.14.4, 20.15.2SD-WAN Manager (vManage)20.3.1 – 20.14.3, 20.15.120.14.4, 20.15.2
Verification involves inventorying exposed ports and auditing NETCONF logs for anomalies. Temporary mitigations include restricting management plane access and monitoring for unauthorized peers.sec.cloudapps.
CISA added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities Catalog on February 25, 2026. Emergency Directive 26-03 mandates FCEB agencies to inventory SD-WAN systems, patch within 21 days, and hunt for compromise indicators. Australian Cyber Security Centre and Canadian Cyber Centre issued parallel alerts, noting real-world rogue peer additions.
Mitigation Steps
Immediately apply Cisco patches from the advisory.
Inventory all SD-WAN deployments, focusing on internet-facing controllers.
Scan for rogue peers via CLI: show sdwan omp peers detail and review NETCONF sessions.
Enable logging for authentication failures and version changes; reset compromised configs if detected.
Contact Cisco TAC for support and follow Talos hunt guidance.sec.cloudapps.
Organizations in critical infrastructure should prioritize checks, as UAT-8616 seeks enduring persistence. Broader adoption of zero-trust for edge devices counters such trends.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Cisco SD-WAN 0-Day Vulnerability Exploited Since 2023 to Gain Root Access appeared first on Cyber Security News.
