A newly disclosed maximum-severity safety flaw in Cisco Catalyst SD-WAN Controller (previously vSmart) and Catalyst SD-WAN Supervisor (previously vManage) has come beneath lively exploitation within the wild as a part of malicious exercise that dates again to 2023.
The vulnerability, tracked as CVE-2026-20127 (CVSS rating: 10.0), permits an unauthenticated distant attacker to bypass authentication and acquire administrative privileges on an affected system by sending a crafted request.
Profitable exploitation of the flaw might permit the adversary to acquire elevated privileges and log in to the system as an inner, high-privileged, non-root person account.
“This vulnerability exists because the peering authentication mechanism in an affected system is not working properly,” Cisco mentioned in an advisory, including the menace actor might leverage the non-root person account to entry NETCONF and manipulate community configuration for the SD-WAN cloth.
The shortcoming impacts the next deployment sorts, regardless of the machine configuration –
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud – Cisco Managed
- Cisco Hosted SD-WAN Cloud – FedRAMP Surroundings
Cisco credited the Australian Alerts Directorate’s Australian Cyber Safety Centre (ASD-ACSC) for reporting the vulnerability. The networking tools main is monitoring the exploitation and subsequent post-compromise exercise beneath the moniker UAT-8616, describing the cluster as a “highly sophisticated cyber threat actor.”
The vulnerability has been addressed within the following variations of Cisco Catalyst SD-WAN –
- Previous to model 20.91 – Migrate to a hard and fast launch.
- Model 20.9 – 20.9.8.2
- Model 20.111 – 20.12.6.1
- Model 20.12.5 – 20.12.5.3
- Model 20.12.6 – 20.12.6.1
- Model 20.131 – 20.15.4.2
- Model 20.141 – 20.15.4.2
- Model 20.15 – 20.15.4.2
- Model 20.161 – 20.18.2.1
- Model 20.18 – 20.18.2.1
“Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise,” Cisco warned.
The corporate has additionally really helpful prospects to audit the “/var/log/auth.log” file for entries associated to “Accepted publickey for vmanage-admin” from unknown or unauthorized IP addresses. It is also suggested to examine the IP addresses within the auth.log log file towards the configured System IPs which can be listed within the Cisco Catalyst SD-WAN Supervisor internet UI (WebUI > Gadgets > System IP).
Based on data launched by the ASD-ACSC, UAT-8616 is claimed to have compromised Cisco SD-WANs since 2023 through the zero-day exploit, permitting it to achieve elevated entry.
“The vulnerability allowed a malicious cyber actor to create a rogue peer joined to the network management plane, or control plane, of an organization’s SD-WAN,” ASD-ACSC mentioned. “The rogue device appears as a new but temporary, actor-controlled SD-WAN component that can conduct trusted actions within the management and control plane.”
After efficiently compromising a public-facing utility, the attackers have been discovered to leverage the built-in replace mechanism to stage a software program model downgrade and escalate to the basis person by exploiting CVE-2022-20775 (CVSS rating: 7.8), a high-severity privilege escalation bug within the CLI of Cisco SD-WAN Software program, after which restoring the software program again to the model it was initially working.
A few of the subsequent steps initiated by the menace actor are as follows –
- Created native person accounts that mimicked different native person accounts.
- Added a Safe Shell Protocol (SSH) licensed key for root entry and modified SD-WAN-related start-up scripts to customise the setting.
- Used Community Configuration Protocol on port 830 (NETCONF) and SSH to hook up with/between Cisco SD-WAN home equipment throughout the administration airplane.
- Took steps to clear proof of the intrusion by purging logs beneath “/var/log,” command historical past, and community connection historical past.
“UAT-8616’s attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high-value organizations, including Critical Infrastructure (CI) sectors,” Talos mentioned.
The event has prompted the Cybersecurity and Infrastructure Safety Company (CISA) so as to add each CVE-2022-20775 and CVE-2026-20127 to its Identified Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Govt Department (FCEB) businesses to use the fixes throughout the subsequent 24 hours.
To examine for model downgrade and surprising reboot occasions, CISA recommends analyzing the next logs –
- /var/unstable/log/vdebug
- /var/log/tmplog/vdebug
- /var/unstable/log/sw_script_synccdb.log
CISA has additionally issued a brand new emergency directive, 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Techniques, as a part of which federal businesses are required to stock SD-WAN units, apply updates, and assess potential compromise.
To that finish, businesses have been ordered to supply a catalog of all in-scope SD-WAN methods on their networks by February 26, 2026, 11:59 p.m. ET. Moreover, they’re required to submit an in depth stock of all in-scope merchandise and actions taken by March 5, 2026, 11:59 p.m. ET. Lastly, the businesses must submit the checklist of all steps taken to harden their environments by March 26, 2026, 11:59 p.m. ET.
