Critical Cisco SD-WAN Vulnerability Exposed for Years
Cisco Talos has revealed that a sophisticated cyber threat actor exploited a significant authentication bypass vulnerability in Cisco’s SD-WAN infrastructure, undetected for at least three years. This zero-day attack underscores serious weaknesses within network security frameworks.
An Overview of the Vulnerability
The vulnerability, identified as CVE-2026-20127, carries the highest severity score possible, a CVSS rating of 10.0. It allowed unauthorized remote attackers to gain administrative access, enabling them to introduce malicious rogue peers into enterprise networks. Such a breach poses severe risks, especially for organizations in critical infrastructure sectors, which rely on robust network security.
Talos has linked this exploitation to a group designated as UAT-8616. The organization successfully targeted network edge devices, establishing persistent footholds in high-value enterprises. Evidence suggests that the malicious activities associated with this vulnerability have been ongoing since at least 2023.
How Attackers Exploited the Flaw
The vulnerabilities primarily affect the Cisco Catalyst SD-WAN Controller and the Cisco Catalyst SD-WAN Manager, impacting both on-premises and cloud-hosted deployments. The root of the problem lies in flawed peering authentication mechanisms, which inadequately validated trust relationships during SD-WAN component connections.
Attackers managed to exploit this by sending specially crafted requests that the vulnerable systems accepted as credible. This breach enabled them to log in as high-privileged non-root user accounts, manipulating NETCONF configurations and gaining overarching control of the SD-WAN’s network settings, including routing policies and device authentication.
The Downgrade-Penetrate-Upgrade Technique
The sophistication of the attack chain is notable. Upon gaining initial access via CVE-2026-20127, investigators found that UAT-8616 likely escalated privileges to root level by first downgrading SD-WAN software to earlier versions vulnerable to a previously patched flaw (CVE-2022-20775). This approach allowed attackers to achieve root access without raising alarms, as they later restored the original software version to conceal their activities.
Acknowledgments from Cybersecurity Authorities
The discovery of this vulnerability has been credited to the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC). This agency promptly reported the issue to Cisco, publishing a joint hunt guide that warned organizations about ongoing threats targeting Cisco Catalyst SD-WAN deployments. Their findings provided vital insights into how attackers could introduce rogue peers and secure root access.
Urgent Responses from CISA
The Cybersecurity and Infrastructure Security Agency (CISA) responded by issuing Emergency Directive 26-03, mandating Federal Civilian Executive Branch agencies to take immediate action. By 5 PM ET on a specified date, agencies were required to inventory their Cisco SD-WAN systems, collect forensic artifacts, maintain external log storage, apply necessary updates, and assess potential compromises. The directive emphasized the immediate threat these vulnerabilities pose to federal networks.
CISA has also included both CVE-2026-20127 and CVE-2022-20775 in its Known Exploited Vulnerabilities catalog, indicating the urgency for organizations to take action. Simultaneously, the UK’s National Cyber Security Centre issued warnings advising organizations to swiftly check for potential vulnerabilities and malicious activities.
Identifying Indicators of Compromise
Talos identified several high-fidelity indicators indicating a potential compromise by UAT-8616. These include the unusual creation, usage, and deletion of user accounts, lack of user interaction history, unaccounted SSH keys, and even signs of log tampering. Most critically, any unexpected peering event, especially from unverified sources, may indicate attempted exploitation.
Organizations using Cisco Catalyst SD-WAN should closely monitor their logs for control connection peering events, as these can signal attempts to compromise their systems. The focus should not only be on external threats but also on internal mechanisms to ensure the integrity and security of network operations.
Final Thoughts for Organizations
Researchers have called attention to the trend of cybercriminals targeting network infrastructure devices, recognizing that control over these systems can offer significant operational leverage. The compromise of SD-WAN controllers, which manage critical routing and policy enforcement, significantly endangers network security worldwide.
This incident highlights the importance of not exposing SD-WAN management interfaces to the internet, as those facing the public face the highest risk of compromise. Ongoing vigilance, adherence to Cisco’s hardening guidelines, and regular audits are crucial in safeguarding against these advanced threats. Organizations should also implement thorough compromise assessments using insights provided by cybersecurity authorities.
In light of this security breach, it’s essential for companies to stay informed about the latest threats and take proactive measures to protect their systems.
