Cyber: Critical Cisco Sd-wan Bug Exploited In Zero-day Attacks Since 2023

Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks.

CVE-2026-20127 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and SD-WAN Cloud installations.

Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) for reporting the vulnerability.

In an advisory published today, Cisco said the issue stems from a peering authentication mechanism that "is not working properly."

"This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system," reads the Cisco CVE-2026-20127 advisory.

"A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric."

Cisco Catalyst SD-WAN is a software-based networking platform that connects branch offices, data centers, and cloud environments through a centrally managed system. It uses a controller to securely route traffic between sites over encrypted connections.

By adding a rogue peer, an attacker can insert a malicious device into the SD-WAN environment that appears legitimate. That device could then establish encrypted connections and advertise networks under the attacker's control, potentially allowing them to move deeper into the organization's network.

A separate advisory from Cisco Talos says the flaw was actively exploited in attacks and is tracking the malicious activity under "UAT-8616," which it assesses with high confidence was conducted by a highly sophisticated threat actor.

Talos reports that its telemetry shows exploitation dates back to at least 2023, with intelligence partners stating the threat actor likely escalated to root by downgrading to an older software version, exploiting  CVE-2022-20775 to gain root access, and then restoring the original firmware version.

Source: BleepingComputer