Skip to main content
Mallory

Cisco SD-WAN Zero-Day Exploited to Add Rogue Peers and Gain Persistent Root Access

actively-exploited-vulnerabilitygovernment-vulnerability-catalogperimeter-device-exposurewidely-deployed-product-advisorypersistence-method
Updated April 21, 2026 at 11:01 AM64 sources
Share:
Cisco SD-WAN Zero-Day Exploited to Add Rogue Peers and Gain Persistent Root Access

Get Ahead of Threats Like This

Know if you're exposed. Before adversaries strike.

Cisco and multiple government cyber agencies warned that attackers are actively exploiting CVE-2026-20127, a critical CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager. The flaw affects the peering authentication process and lets unauthenticated remote attackers gain administrative access, use NETCONF, and alter SD-WAN fabric configuration, including adding malicious rogue peers. Cisco Talos attributed the activity to a sophisticated cluster tracked as UAT-8616, with evidence suggesting exploitation dates back to at least 2023 and has affected high-value targets, including critical infrastructure and government networks.

Investigators said the intrusions often continued with a downgrade of the appliance software to exploit CVE-2022-20775 for root privilege escalation, after which the original version was restored to help conceal the compromise while maintaining persistence. In response, CISA added both CVEs to the Known Exploited Vulnerabilities catalog and issued Emergency Directive 26-03 for U.S. federal civilian agencies, while the UK NCSC, ACSC, Canadian Centre for Cyber Security, and other partners released joint hunting and hardening guidance. Cisco said there are no complete workarounds, urged immediate upgrades to fixed releases, and advised defenders to review peering events, SSH key activity, version history, and logs for signs of tampering or unauthorized access.

Timeline

  1. Mar 5, 2026

    Cisco flags two more SD-WAN Manager flaws as exploited

    On March 5, 2026, Cisco updated its advisory to state that CVE-2026-20122 and CVE-2026-20128 in Catalyst SD-WAN Manager were also being actively exploited in the wild. Cisco urged customers to upgrade to fixed releases but did not provide detailed attribution or attack-chain information for the new exploitation.

  2. Mar 4, 2026

    Third parties report surge in broad exploitation attempts

    Public reporting on March 5-9, 2026 cited telemetry showing a major spike in attack attempts on March 4, suggesting exploitation of Cisco SD-WAN flaws had expanded beyond earlier targeted activity. Reports described many unique source IPs, possible web shell deployment, and more internet-wide scanning against exposed systems.

  3. Feb 27, 2026

    Cisco plans 20.9.x fix release for unsupported branch gap

    CERT-FR reported that while several Cisco Catalyst SD-WAN branches had fixes available on February 25, 2026, the 20.9.x train was scheduled to receive its fix on February 27, 2026. Other end-of-maintenance branches would not receive security patches and required migration to supported versions.

  4. Feb 25, 2026

    National cyber agencies issue parallel public alerts

    On February 25, 2026, agencies including the Canadian Centre for Cyber Security, France's CERT-FR, Finland's NCSC-FI, and the UK's NCSC published alerts warning of active exploitation of Cisco Catalyst SD-WAN. These notices urged immediate upgrades, compromise hunting, and reduction of internet exposure for management and control planes.

  5. Feb 25, 2026

    CISA adds CVE-2026-20127 and CVE-2022-20775 to KEV

    CISA added both Cisco SD-WAN vulnerabilities to its Known Exploited Vulnerabilities catalog on February 25, 2026. The KEV update formally recognized active exploitation and set a federal remediation deadline tied to the emergency directive.

  6. Feb 25, 2026

    CISA issues Emergency Directive 26-03 for federal agencies

    On February 25, 2026, CISA issued ED 26-03, ordering U.S. Federal Civilian Executive Branch agencies to inventory affected Cisco SD-WAN systems, collect forensic artifacts, patch, and assess for compromise. CISA said the ongoing exploitation posed an unacceptable risk to federal networks.

  7. Feb 25, 2026

    Five Eyes agencies publish joint hunt and mitigation guidance

    CISA, NSA, the UK NCSC, ASD/ACSC, and other partners warned that organizations globally were being targeted through Cisco Catalyst SD-WAN and released a joint threat-hunting guide. The guidance documented observed tactics such as rogue peer creation, persistence, log tampering, and recommended hardening and forensic collection.

  8. Feb 25, 2026

    Talos publicly attributes exploitation cluster as UAT-8616

    Cisco Talos published analysis tying the in-the-wild exploitation and post-compromise activity to a sophisticated actor cluster it tracks as UAT-8616. Talos also released threat-hunting guidance and said Snort coverage would be made available.

  9. Feb 25, 2026

    Cisco discloses CVE-2026-20127 and releases SD-WAN fixes

    On February 25, 2026, Cisco published security advisories for critical vulnerabilities in Catalyst SD-WAN Controller and Manager, including CVE-2026-20127, and released fixed software versions. Cisco confirmed the authentication bypass flaw had been exploited in the wild and said there were no complete workarounds.

  10. Dec 1, 2025

    Australian authorities report Cisco SD-WAN zero-day to Cisco

    Australia's ASD/ACSC identified the SD-WAN issue through real-world exploitation and reported the vulnerability to Cisco. This reporting led to vendor investigation and later public disclosure of CVE-2026-20127.

  11. Jan 1, 2023

    Attackers chain CVE-2026-20127 with CVE-2022-20775 for root access

    Post-compromise investigations found the actor likely downgraded Cisco SD-WAN software to a version vulnerable to CVE-2022-20775, exploited it to escalate to root, and then restored the original version. Agencies said this tradecraft helped the actor retain long-term access while reducing obvious signs of tampering.

  12. Jan 1, 2023

    UAT-8616 begins exploiting Cisco SD-WAN zero-day

    Cisco Talos and partner agencies assessed that a sophisticated actor tracked as UAT-8616 had been exploiting the previously undisclosed CVE-2026-20127 since at least 2023. The activity involved adding rogue SD-WAN peers to gain privileged access and establish persistence in victim environments.

See the full picture in Mallory

Mallory subscribers get deeper analysis on every story, including:

Impact Assessment

Who’s affected and how

Technical Details

Deep-dive technical analysis

Response Recommendations

Actionable next steps for your team

Indicators of Compromise

IPs, domains, hashes, and more

AI Threads

Ask questions and take action on every story

Advanced Filters

Filter by topic, classification, timeframe

Scheduled Alerts

Get matching stories delivered automatically

Related Entities

Vulnerabilities

Authentication Bypass in Cisco Catalyst SD-WAN Controller and Manager (CVE-2026-20127)Privilege Escalation in Cisco SD-WAN Software CLI (CVE-2022-20775)Cisco Catalyst SD-WAN Manager API Arbitrary File Overwrite Privilege Escalation (CVE-2026-20122)Cisco Catalyst SD-WAN Manager DCA Credential Disclosure / Recoverable Password Storage (CVE-2026-20128)Cisco Catalyst SD-WAN Manager API Authentication Bypass (CVE-2026-20129)Cisco Catalyst SD-WAN Manager REST API Privilege Escalation (CVE-2026-20126)Cisco Catalyst SD-WAN Manager Sensitive Information Disclosure via API (CVE-2026-20133)Authentication Bypass to Root RCE in Cisco Secure Firewall Management Center (CVE-2026-20079)Unauthenticated RCE in Cisco Secure Firewall Management Center Web Interface (CVE-2026-20131)Reflected XSS in TIBCO BPM Enterprise Workspace client (CVE-2022-22775)BeyondTrust Remote Support and Privileged Remote Access Pre-Auth OS Command Injection RCE (CVE-2026-1731)

Threat Actors

UAT-8616Salt TyphoonVolt Typhoon

Organizations

Cisco SystemsWatchTowrInformation Security Media GroupSecurity AffairsCisco SystemsRapid7Arctic WolfTenableSOCRadarSoliton Systems K.K.TinesrunZeroZoom CommunicationsMalwarebytesAT&TSolarWindsSaner patch managementDell TechnologiesGitLabRescanaSuzu LabsBlack DuckFenix24Dark ReadingTechCrunchGoogleBeyondtrustNetSPI

Affected Products

Catalyst SD-WAN ManagerSnortSnortZoomInsightvmNexposeGitlabSecure Firewall Management Center (Fmc)

Sources

cisco.com
Remediate Catalyst SD-WAN Security Advisory - February 2026 - Cisco
March 19, 2026 at 12:00 AM
cisco product advisories
Cisco Catalyst SD-WAN Vulnerabilities
March 18, 2026 at 12:00 AM
intel471
CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild | Intel 471
March 13, 2026 at 12:00 AM
1898advisories.burnsmcd.com
Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities
March 10, 2026 at 12:00 AM
bank info security
Hacker Free-For-All Over Cisco SD-WAN Flaw - BankInfoSecurity
March 9, 2026 at 12:00 AM

5 more from sources like cyberthrone, security affairs, socradar blog, register security and centripetal threat research

Related Stories

Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616

Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616

**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.

1 months ago
Active Exploitation of Cisco SD-WAN Vulnerabilities Beyond CVE-2026-20127

Active Exploitation of Cisco SD-WAN Vulnerabilities Beyond CVE-2026-20127

Researchers warned that defenders may be underestimating the risk from **Cisco SD-WAN** flaws beyond the widely publicized zero-day `CVE-2026-20127`, particularly **`CVE-2026-20133`**, a high-severity issue tied to inadequate file system access restrictions. VulnCheck reported that public attention and detection efforts have focused too narrowly on `CVE-2026-20127`, even though proof-of-concept activity attributed to that bug appears to affect other vulnerabilities, including `CVE-2026-20133`, `CVE-2026-20128`, and `CVE-2026-20122`. Defused researchers said their telemetry supports that assessment, indicating that `CVE-2026-20127` is generating heavy automated noise while activity involving `CVE-2026-20133`, if present, is likely quieter and easier to miss. Broader reporting indicates the SD-WAN issue is part of a larger pattern of **active exploitation across Cisco edge infrastructure**, with multiple recently disclosed SD-WAN and firewall vulnerabilities already exploited in the wild. CyberScoop reported that five of nine Cisco flaws disclosed across firewalls and SD-WAN systems in recent weeks have seen exploitation, including two SD-WAN zero-days abused for years before discovery and three additional SD-WAN defects later confirmed under attack. The reporting also noted exploitation of a maximum-severity Cisco firewall management flaw by **Interlock ransomware**, underscoring that attackers are targeting management-plane and control-plane weaknesses in network-edge products that often serve as enterprise trust anchors.

1 weeks ago
Actively Exploited Critical Vulnerabilities in Cisco Secure Firewall and Catalyst SD-WAN Manager

Actively Exploited Critical Vulnerabilities in Cisco Secure Firewall and Catalyst SD-WAN Manager

Belgium’s CCB (Safeonweb) warned of **multiple critical vulnerabilities** across several **Cisco** products—specifically calling out **Cisco Secure Firewall** (including *Adaptive Security Appliance (ASA)*, *Firepower Management Center (FMC)*, and *Firepower Threat Defense (FTD)*) and **Cisco Catalyst SD-WAN Manager**—and stated that **some vulnerabilities are being actively exploited**, urging immediate patching. The advisory lists a broad set of weakness classes including **authentication bypass** (`CWE-288`/`CWE-287`), **deserialization of untrusted data** (`CWE-502`), **buffer overflow** (`CWE-120`), **SQL injection** (`CWE-89`), and **sensitive information exposure** (`CWE-200`), and highlights multiple CVEs including **CVE-2026-20079** and **CVE-2026-20131** with **CVSS 10.0**. A separate advisory from the Center for Internet Security (CIS) also reported **multiple vulnerabilities in Cisco products** that could enable **remote code execution**, enumerating a large set of related CVEs (including **CVE-2026-20001**, **CVE-2026-20002**, **CVE-2026-20003**, and **CVE-2026-20039**). Taken together, the advisories indicate a high-risk patching priority for organizations running affected Cisco network/security management and firewall platforms, particularly where internet exposure or untrusted management-plane access could make exploitation more likely.

1 months ago

Get Ahead of Threats Like This

Mallory continuously monitors global threat intelligence and correlates it with your attack surface. Know if you're exposed. Before adversaries strike.