Security researcher zerozenxlabs released the code on GitHub yesterday, including Python scripts and JSP webshells targeting pre-authentication remote code execution (RCE).
This comes weeks after Cisco’s February 25, 2026, disclosure of active exploitation dating back to 2023.sec.cloudapps.
CVE-2026-20127 stems from a flawed peering authentication mechanism in Cisco Catalyst SD-WAN Controller (ex-vSmart) and SD-WAN Manager (ex-vManage), earning a perfect CVSS 3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
An unauthenticated attacker sends crafted requests to bypass login entirely, gaining highly privileged non-root access.
From there, foes tap NETCONF on port 830 to read and alter SD-WAN fabric configs, injecting rogue peers into management or control planes.
Affected versions span 20.6 to 20.18.x, excluding recent patches like 20.9.8.2 and 20.18.2.1.nvd.nist+4
Cisco Talos attributes the exploitation to UAT-8616, a sophisticated actor active since 2023, first flagged by Australian officials.
Post-bypass, attackers downgrade software via built-in updates to exploit CVE-2022-20775 for root escalation, then restore versions to evade detection.
They add SSH keys, mimic legit users, purge logs in /var/log, clear histories, and pivot via NETCONF/SSH across the fabric.
CISA added it to its Known Exploited Vulnerabilities catalog on February 25, mandating federal fixes by February 27 under Emergency Directive 26-03.
The zerozenxlabs repo features cisco-sdwan.py for exploitation, cmd.jsp/cmd.war for webshell deployment, and a README warning of educational use only on owned systems.
It highlights rogue peer creation and admin takeover, mirroring wild tactics. Updated yesterday, the code risks accelerating copycat attacks on exposed controllers.
Cisco urges immediate patching to fixed releases and disabling unused peering if possible. Hunt for signs like suspicious accounts, empty logs, or downgrade artifacts; isolate exposed instances.
With PoC public, unpatched SD-WANs face imminent threats from nation-states and opportunists. Organizations must audit internet-facing deployments now.
Read Cisco advisory (sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk) and CISA guidance.sec.cloudapps.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post PoC Exploit Released for Cisco SD-WAN 0-Day Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.
Birdbuddy’s smart hummingbird feeder can capture both photo and video of your feathery friends. |…
If you’ve been wanting to try out an Xbox Game Pass Ultimate subscription, today might…
Disney+ has revealed a new discount on its Hulu bundle for March 2026. The offer…
It's smart to have a light source on hand for emergencies, especially since everyday carry…
LG has announced that it's now taking preorders for its next generation of OLED TVs,…
Best Buy is offering an outstanding deal on a laptop that marries powerful gaming performance…
This website uses cookies.