Key Findings:

• A critical Cisco SD-WAN vulnerability, tracked as CVE-2026-20127 (CVSS score of 10.0), has been actively exploited since 2023 to gain remote, unauthenticated administrative access.

• The vulnerability allows an attacker to bypass authentication and gain full administrative access to affected Cisco Catalyst SD-WAN Controller and Manager systems.

• Exploited environments include on-premises, Cisco Hosted SD-WAN Cloud, and FedRAMP Cisco Hosted SD-WAN Cloud deployments.

• Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the issue and is tracking related exploitation under the name UAT-8616, describing the actor as highly sophisticated.

• Patched releases include versions 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1. Customers running versions prior to 20.9.1 are advised to migrate to a patched release.

• Cisco Talos tracks the exploitation as UAT-8616, a highly sophisticated threat actor active since at least 2023, who likely downgraded software to escalate privileges to root and then restored the original version to maintain stealthy access.

Background

The critical Cisco SD-WAN vulnerability, CVE-2026-20127, has been under active exploitation by a highly sophisticated threat actor since 2023. The flaw allows remote, unauthenticated attackers to bypass authentication and gain full administrative access to affected Cisco Catalyst SD-WAN Controller and Manager systems.

Impact

The vulnerability impacts all Cisco Catalyst SD-WAN deployments, including on-premises, Cisco Hosted SD-WAN Cloud, and FedRAMP Cisco Hosted SD-WAN Cloud environments. Successful exploitation could allow an attacker to access NETCONF and manipulate the network configuration for the SD-WAN fabric.

Exploitation

Cisco Talos tracks the exploitation as UAT-8616, a highly sophisticated threat actor active since at least 2023. Investigators found the group likely downgraded software to escalate privileges to root, exploited CVE-2022-20775, and then restored the original version to maintain stealthy root access.

Mitigation

Cisco has released patched versions, including 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1. Customers running versions prior to 20.9.1 are advised to migrate to a patched release. Temporary workarounds, such as restricting ports 22 and 830, may help but upgrading is strongly recommended.

Conclusion

The campaign highlights the ongoing targeting of network edge devices to gain persistent access to high-value and critical infrastructure organizations. Customers are urged to apply the security updates immediately to address the critical vulnerability.

Sources

• https://securityaffairs.com/188540/security/hackers-abused-cisco-sd-wan-zero-day-since-2023-to-gain-full-admin-control.html

• https://cyberscoop.com/cisco-zero-days-cisa-emergency-directive-five-eyes/

• https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html

• https://ground.news/article/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023