Cisco SD-WAN Zero-Day Under Active Exploitation Grants Attackers Root-Level Control

Cisco has disclosed a critical zero-day vulnerability in its Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage), actively exploited by sophisticated threat actors since at least 2023 to bypass authentication and seize root-level control.

Vulnerability Overview

Tracked as CVE-2026-20127 (Advisory ID: cisco-sa-sdwan-rpa-EHchtZk), this flaw stems from improper peering authentication (CWE-287).

An unauthenticated remote attacker can send crafted requests to bypass controls, logging in as a high-privileged, non-root internal user.

From there, attackers access NETCONF to manipulate SD-WAN fabric configurations, disrupting networks or enabling persistence.

Cisco Talos reports exploitation clustered as “UAT-8616,” attributing it with high confidence to a sophisticated cyber threat actor targeting network edge devices.

Evidence shows activity dating back to 2023, predating public disclosure on February 25, 2026 (Version 1.0, Final).

Attribute	Details
CVE ID	CVE-2026-20127
CVSS 3.1 Base Score	10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Cisco Bug ID	CSCws52722
Affected Products	Cisco Catalyst SD-WAN Controller (vSmart), Catalyst SD-WAN Manager (vManage)

Post-initial bypass via CVE-2026-20127, UAT-8616 escalates privileges through a software version downgrade, exploits CVE-2022-20775 for root access, then restores the original version to evade detection.

Intelligence partners, including the ACSC, detailed this in a hunt guide, confirming persistent footholds in critical infrastructure (CI) sectors.

This aligns with trends in edge device targeting, where actors establish long-term access for data exfiltration, lateral movement, or command-and-control (C2).

Talos notes unauthorized peering connections as a hallmark, often from anomalous IPs or at odd hours.

Detection Indicators (IOCs)

Monitor Cisco SD-WAN logs for these red flags:

• Unauthorized control connection peering events, especially vManage types.
• Peering from unrecognized IP addresses or inconsistent device types.
• Unexpected software downgrades or CVE-2022-20775 traces.
• Anomalous NETCONF access or fabric configuration changes.

Legitimate peering requires manual validation; superficially normal events may mask compromise.

With a perfect 10.0 CVSS score, exploitation grants scope-changing administrative control over SD-WAN overlays, affecting VPNs, routing, and segmentation.

High-value targets like CI face supply chain risks, enabling ransomware deployment or espionage. No workarounds exist, but Cisco patches address the root cause.

1. Apply Patches Immediately: Upgrade to fixed releases via Cisco’s advisory. Verify via TAC support.
2. Audit Logs: Review peering events retrospectively to 2023; hunt for UAT-8616 patterns using the ACSC Hunt Guide.
3. Network Segmentation: Isolate controllers; enforce strict peering validation.
4. Monitoring Enhancements: Deploy SIEM rules for anomalous authentications and version changes.
5. Incident Response: If compromised, isolate systems, rotate credentials, and engage forensics.

Talos urges SD-WAN users to prioritize these steps, emphasizing proactive hunts.

Organizations relying on Cisco SD-WAN must act swiftly amid rising edge device attacks. This zero-day underscores the need for continuous vulnerability management in enterprise networks.

Follow us on Google News, LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Cisco SD-WAN Zero-Day Under Active Exploitation Grants Attackers Root-Level Control appeared first on Cyber Security News.