A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (previously vSmart) and Catalyst SD-WAN Supervisor (previously vManage) has come below lively exploitation within the wild as a part of malicious exercise that dates again to 2023.
The vulnerability, tracked as CVE-2026-20127 (CVSS rating: 10.0), permits an unauthenticated distant attacker to bypass authentication and acquire administrative privileges on the affected system by sending a crafted request to an affected system.
Profitable exploitation of the flaw might enable the adversary to acquire elevated privileges on the system as an inside, high-privileged, non-root person account.
“This vulnerability exists as a result of the peering authentication mechanism in an affected system just isn’t working correctly,” Cisco stated in an advisory, including the risk actor might leverage the non-root person account to entry NETCONF and manipulate community configuration for the SD-WAN material.
The shortcoming impacts the next deployment varieties, regardless of the machine configuration –
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud – Cisco Managed
- Cisco Hosted SD-WAN Cloud – FedRAMP Setting
Cisco credited the Australian Alerts Directorate’s Australian Cyber Safety Centre (ASD-ACSC) for reporting the vulnerability. The networking tools main is monitoring the exploitation and subsequent post-compromise exercise below the moniker UAT-8616, describing the cluster as a “extremely refined cyber risk actor.”
The vulnerability has been addressed within the following variations of Cisco Catalyst SD-WAN –
- Previous to model 20.91 – Migrate to a hard and fast launch.
- Model 20.9 – 20.9.8.2 (Estimated launch February 27, 2026)
- Model 20.111 – 20.12.6.1
- Model 20.12.5 – 20.12.5.3
- Model 20.12.6 – 20.12.6.1
- Model 20.131 – 20.15.4.2
- Model 20.141 – 20.15.4.2
- Model 20.15 – 20.15.4.2
- Model 20.161 – 20.18.2.1
- Model 20.18 – 20.18.2.1
“Cisco Catalyst SD-WAN Controller techniques which are uncovered to the web and which have ports uncovered to the web are liable to publicity to compromise,” Cisco warned.
The corporate has additionally advisable clients to audit the “/var/log/auth.log” file for entries associated to “Accepted publickey for vmanage-admin” from unknown or unauthorized IP addresses. It is also suggested to verify the IP addresses within the auth.log log file in opposition to the configured System IPs which are listed within the Cisco Catalyst SD-WAN Supervisor internet UI (WebUI > Gadgets > System IP).
In accordance with data launched by the ASD-ACSC, UAT-8616 is alleged to have compromised Cisco SD-WANs since 2023 through the zero-day exploit, permitting it to realize elevated entry.
“The vulnerability allowed a malicious cyber actor to create a rogue peer joined to the community administration aircraft, or management aircraft, of a company’s SD-WAN,” ASD-ACSC stated. “The rogue machine seems as a brand new however non permanent, actor-controlled SD-WAN element that may conduct trusted actions throughout the administration and management aircraft.”
After efficiently compromising a public-facing utility, the attackers have been discovered to leverage the built-in replace mechanism to stage a software program model downgrade and escalate to the basis person by exploiting CVE-2022-20775 (CVSS rating: 7.8), a high-severity privilege escalation bug within the CLI of Cisco SD-WAN Software program, after which restoring the software program again to the model it was initially working.
A few of the subsequent steps initiated by the risk actor are as follows –
- Created native person accounts that mimicked different native person accounts.
- Added a Safe Shell Protocol (SSH) approved key for root entry and modified SD-WAN-related start-up scripts to customise the setting.
- Used Community Configuration Protocol on port 830 (NETCONF) and SSH to connect with/between Cisco SD-WAN home equipment throughout the administration aircraft.
- Took steps to clear proof of the intrusion by purging logs below “/var/log,” command historical past, and community connection historical past.
“UAT-8616’s tried exploitation signifies a seamless pattern of the focusing on of community edge units by cyber risk actors trying to set up persistent footholds into high-value organizations, together with Vital Infrastructure (CI) sectors,” Talos stated.
The event has prompted the Cybersecurity and Infrastructure Safety Company (CISA) so as to add each CVE-2022-20775 and CVE-2026-20127 to its Recognized Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Government Department (FCEB) companies to use the fixes throughout the subsequent 24 hours.
To verify for model downgrade and sudden reboot occasions, CISA recommends analyzing the next logs –
- /var/risky/log/vdebug
- /var/log/tmplog/vdebug
- /var/risky/log/sw_script_synccdb.log
CISA has additionally issued a brand new emergency directive, 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Methods, as a part of which federal companies are required to stock SD-WAN units, apply updates, and assess potential compromise.
To that finish, companies have been ordered to supply a catalog of all in-scope SD-WAN techniques on their networks by February 26, 2026, 11:59 p.m. ET. Moreover, they’re required to submit an in depth stock of all in-scope merchandise and actions taken by March 5, 2026, 11:59 p.m. ET. Lastly, the companies must submit the checklist of all steps taken to harden their environments by March 26, 2026, 11:59 p.m. ET.
