Critical Cisco SD-WAN Zero-Day Exploited Since 2023, Enabling Root Access
Cisco has disclosed a critical zero-day vulnerability (CVE-2026-20127) in its Catalyst SD-WAN products, actively exploited since at least 2023 to bypass authentication and gain root-level access. The flaw, rated 10.0 on the CVSS scale, affects the peering authentication mechanism in Cisco Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage), allowing unauthenticated attackers to log in as high-privileged users and manipulate network configurations via NETCONF.
Exploitation enables attackers to add rogue peers, alter routing, or downgrade software to chain attacks such as leveraging CVE-2022-20775 for root escalation before restoring original versions to evade detection. Cisco Talos attributes the campaign (tracked as UAT-8616) to a sophisticated threat actor targeting critical infrastructure, with confirmed compromises of internet-exposed management planes.
Patches were released on February 25, 2026, for affected versions (20.3.1–20.14.3, 20.15.1), with no workarounds available. CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog the same day, issuing Emergency Directive 26-03 for federal agencies to patch within 21 days and hunt for indicators of compromise. Global cybersecurity agencies, including Australia’s ACSC and Canada’s CCCS, issued parallel alerts, citing real-world incidents involving rogue peer additions.
Organizations are advised to inventory SD-WAN deployments, audit NETCONF logs, and restrict management plane access. Cisco’s guidance includes CLI checks for unauthorized peers and resetting compromised configurations. The incident underscores persistent threats to edge devices in critical sectors.
Source: https://cybersecuritynews.com/cisco-sd-wan-0-day-vulnerability/
Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco
"id": "CIS1772072640",
"linkid": "cisco",
"type": "Vulnerability",
"date": "1/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Critical infrastructure '
'sectors, organizations with '
'internet-exposed management '
'planes',
'industry': 'Technology',
'location': 'Global',
'name': 'Cisco',
'type': 'Technology/Networking'}],
'attack_vector': 'Peering authentication mechanism bypass via NETCONF',
'date_detected': '2023',
'date_publicly_disclosed': '2026-02-25',
'description': 'Cisco has disclosed a critical zero-day vulnerability '
'(CVE-2026-20127) in its Catalyst SD-WAN products, actively '
'exploited since at least 2023 to bypass authentication and '
'gain root-level access. The flaw affects the peering '
'authentication mechanism in Cisco Catalyst SD-WAN Controller '
'(formerly vSmart) and SD-WAN Manager (formerly vManage), '
'allowing unauthenticated attackers to log in as '
'high-privileged users and manipulate network configurations '
'via NETCONF. Exploitation enables attackers to add rogue '
'peers, alter routing, or downgrade software to chain attacks '
'such as leveraging CVE-2022-20775 for root escalation before '
'restoring original versions to evade detection.',
'impact': {'operational_impact': 'Network configuration manipulation, rogue '
'peer additions, routing alterations',
'systems_affected': 'Cisco Catalyst SD-WAN Controller (vSmart), '
'SD-WAN Manager (vManage)'},
'initial_access_broker': {'backdoors_established': 'Rogue peers, software '
'downgrades',
'entry_point': 'Internet-exposed management planes',
'high_value_targets': 'Critical infrastructure '
'sectors'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Persistent threats to edge devices in critical sectors, '
'importance of restricting management plane access, need '
'for proactive auditing of NETCONF logs',
'motivation': 'Root-level access, network manipulation, critical '
'infrastructure targeting',
'post_incident_analysis': {'corrective_actions': 'Patches, CLI checks for '
'unauthorized peers, '
'resetting compromised '
'configurations, enhanced '
'monitoring',
'root_causes': 'Zero-day vulnerability '
'(CVE-2026-20127) in peering '
'authentication mechanism, lack of '
'management plane access '
'restrictions'},
'recommendations': 'Inventory SD-WAN deployments, apply patches immediately, '
'audit NETCONF logs, restrict management plane access, '
'reset compromised configurations, monitor for indicators '
'of compromise',
'references': [{'source': 'Cisco Security Advisory'},
{'source': 'CISA Emergency Directive 26-03'},
{'source': 'Australia’s ACSC Alert'},
{'source': 'Canada’s CCCS Alert'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA Known Exploited '
'Vulnerabilities '
'Catalog, Emergency '
'Directive 26-03'},
'response': {'communication_strategy': 'Public disclosure, CISA Emergency '
'Directive 26-03, global cybersecurity '
'agency alerts (ACSC, CCCS)',
'containment_measures': 'Patches released, CLI checks for '
'unauthorized peers, resetting '
'compromised configurations',
'enhanced_monitoring': 'Audit NETCONF logs, hunt for indicators '
'of compromise',
'remediation_measures': 'Patches for affected versions '
'(20.3.1–20.14.3, 20.15.1), inventory '
'SD-WAN deployments, audit NETCONF logs, '
'restrict management plane access'},
'stakeholder_advisories': 'CISA Emergency Directive 26-03, global '
'cybersecurity agency alerts (ACSC, CCCS)',
'threat_actor': 'UAT-8616 (sophisticated threat actor targeting critical '
'infrastructure)',
'title': 'Critical Cisco SD-WAN Zero-Day Exploited Since 2023, Enabling Root '
'Access',
'type': 'Zero-Day Exploitation',
'vulnerability_exploited': 'CVE-2026-20127 (CVSS 10.0)'}