Critical Cisco SD-WAN Vulnerability Exploited by Sophisticated Threat Actor
Australia’s Cyber Security Centre (ACSC), alongside its Five Eyes partners, has issued an emergency directive warning of a severe authentication bypass vulnerability in Cisco’s SD-WAN systems. Tracked as CVE-2026-20127 (disclosed on 25 February), the flaw carries a perfect CVSS score of 10 and affects the Cisco Catalyst SD-WAN Controller and SD-WAN Manager.
If exploited, the vulnerability allows remote attackers to bypass authentication and gain administrative privileges, enabling them to manipulate network configurations via NETCONF. The ACSC confirmed global exploitation, with threat actors adding rogue peers to establish long-term persistence and escalate to root access in compromised SD-WAN environments.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) emphasized the urgency of mitigation, despite an ongoing government shutdown. Acting Director Dr. Madhu Gottumukkala warned that the flaw’s ease of exploitation demands immediate action, particularly for federal agencies.
Cisco’s threat intelligence unit, Talos, attributed the activity to UAT-8616, a highly sophisticated actor with operations dating back to at least 2023. The group reportedly exploited CVE-2022-20775 via a software version downgrade to escalate privileges before restoring the original version, evading detection. Rapid7’s Douglas McKee noted the actor’s stealthy, targeted approach, which allows persistence in high-value infrastructure without triggering broad alarms.
CISA and partners recommend immediate patching, device inventory checks, forensic snapshots, and full system rebuilds as Cisco advises that patching alone may be insufficient to remove existing intrusions. WatchTowr’s Ryan Dewhurst stressed the need for organizations to hunt for prior compromise, given the actor’s ability to maintain undetected access.
Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco
"id": "CIS1772080050",
"linkid": "cisco",
"type": "Vulnerability",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Networking and Cybersecurity',
'location': 'Global',
'name': 'Cisco',
'type': 'Technology Vendor'}],
'attack_vector': 'Remote Exploitation',
'date_publicly_disclosed': '2026-02-25',
'description': 'Australia’s Cyber Security Centre (ACSC), alongside its Five '
'Eyes partners, has issued an emergency directive warning of a '
'severe authentication bypass vulnerability in Cisco’s SD-WAN '
'systems. The flaw, tracked as CVE-2026-20127, allows remote '
'attackers to bypass authentication and gain administrative '
'privileges, enabling them to manipulate network '
'configurations via NETCONF. The ACSC confirmed global '
'exploitation, with threat actors adding rogue peers to '
'establish long-term persistence and escalate to root access '
'in compromised SD-WAN environments.',
'impact': {'operational_impact': 'Manipulation of network configurations, '
'establishment of long-term persistence, '
'escalation to root access',
'systems_affected': 'Cisco Catalyst SD-WAN Controller and SD-WAN '
'Manager'},
'initial_access_broker': {'backdoors_established': 'Rogue peers added to '
'establish long-term '
'persistence'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Patching, system rebuilds, '
'hunting for prior '
'compromise, enhanced '
'monitoring',
'root_causes': 'Authentication bypass '
'vulnerability (CVE-2026-20127), '
'exploitation via software version '
'downgrade (CVE-2022-20775)'},
'recommendations': 'Immediate patching, device inventory checks, forensic '
'snapshots, full system rebuilds, hunt for prior '
'compromise',
'references': [{'source': 'Australia’s Cyber Security Centre (ACSC)'},
{'source': 'U.S. Cybersecurity and Infrastructure Security '
'Agency (CISA)'},
{'source': 'Cisco Talos'},
{'source': 'Rapid7 (Douglas McKee)'},
{'source': 'WatchTowr (Ryan Dewhurst)'}],
'regulatory_compliance': {'regulatory_notifications': 'Emergency directive '
'issued by ACSC and '
'CISA'},
'response': {'containment_measures': 'Immediate patching, device inventory '
'checks, forensic snapshots, full system '
'rebuilds',
'remediation_measures': 'Patching, system rebuilds, hunting for '
'prior compromise'},
'stakeholder_advisories': 'Emergency directive issued by ACSC and CISA for '
'immediate action, particularly for federal '
'agencies',
'threat_actor': 'UAT-8616',
'title': 'Critical Cisco SD-WAN Vulnerability Exploited by Sophisticated '
'Threat Actor',
'type': 'Authentication Bypass',
'vulnerability_exploited': 'CVE-2026-20127'}