Cybersecurity

Cyber: Cisco Sd-wan Zero-day Cve-2026-20127 Exploited Since 2023 For Admin...

2026-02-26 0 views admin
Cyber: Cisco Sd-wan Zero-day Cve-2026-20127 Exploited Since 2023 For Admin...

A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of malicious activity that dates back to 2023.

The vulnerability, tracked as CVE-2026-20127 (CVSS score: 10.0), allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected system by sending a crafted request to an affected system.

Successful exploitation of the flaw could allow the adversary to obtain elevated privileges on the system as an internal, high-privileged, non-root user account.

"This vulnerability exists because the peering authentication mechanism in an affected system is not working properly," Cisco said in an advisory, adding the threat actor could leverage the non-root user account to access NETCONF and manipulate network configuration for the SD-WAN fabric.

The shortcoming affects the following deployment types, irrespective of the device configuration -

Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The networking equipment major is tracking the exploitation and subsequent post-compromise activity under the moniker UAT-8616, describing the cluster as a "highly sophisticated cyber threat actor."

The vulnerability has been addressed in the following versions of Cisco Catalyst SD-WAN -

"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.

The company has also recommended customers to audit the "/var/log/auth.log" file for entries related to "Accepted publickey for vmanage-admin" from unknown or unauthorized IP addresses. It's also advised to check the IP addresses in the auth.log log file against the configured System IPs that are listed in the Cisco Catalyst SD-WAN Manager web UI (WebUI > Devices > System IP).

According to information released by the ASD-ACSC, UAT-8616 is said to have compromised Cisco SD-WANs since 2023 via the zero-day exploit, allowing it to gain elevated access.

Source: The Hacker News

🏷️ Tags

securityvulnerabilitycveattackthreat

More from Cybersecurity

Cyber: New Chinese Police Use Chatgpt To Smear Japan Pm Takaichi 2026

Cyber: New Chinese Police Use Chatgpt To Smear Japan Pm Takaichi 2026

2026-02-26 0
Cyber: Medical Device Maker Ufp Technologies Warns Of Data Stolen In...

Cyber: Medical Device Maker Ufp Technologies Warns Of Data Stolen In...

2026-02-25 0
Cyber: Critical Flaws In Claude Code Put Developers' Machines At Risk

Cyber: Critical Flaws In Claude Code Put Developers' Machines At Risk

2026-02-25 0
Cyber: Fake Next.js Job Interview Tests Backdoor Developer's Devices

Cyber: Fake Next.js Job Interview Tests Backdoor Developer's Devices

2026-02-25 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views