Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
CISA ordered U.S. federal civilian agencies to urgently remediate a critical Cisco Catalyst SD-WAN Manager compromise tied to CVE-2026-20127, a CVSS 10.0 authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by CISA and Cisco Talos, which attributed exploitation to UAT-8616 and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach NETCONF and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments.
Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of CVE-2026-20127 together with CVE-2022-20775, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around CVE-2026-20127 has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that CVE-2026-20133 may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
Timeline
May 1, 2026
Final federal status report on Cisco SD-WAN response is due
A final status report on agency remediation and response actions for the Cisco SD-WAN incident is due to the Secretary of Homeland Security on May 1, 2026. This marks the last deadline referenced in the emergency response timeline.
Mar 23, 2026
Federal agencies must submit Cisco SD-WAN traffic logs to CISA
CISA required agencies to submit internal traffic logs and related remediation status for affected Cisco SD-WAN environments by March 23, 2026. The deadline was intended to support government-wide threat hunting and scope determination.
Mar 12, 2026
VulnCheck warns CVE-2026-20133 poses deeper compromise risk
On March 12, 2026, VulnCheck reported that community focus on CVE-2026-20127 had obscured the risk from CVE-2026-20133. The researchers said the flaw could expose sensitive files and secrets, facilitate NETCONF compromise, and support privilege escalation and broader SD-WAN compromise paths.
Mar 12, 2026
Cisco Talos and partners detail long-running UAT-8616 exploitation
By mid-March 2026, Cisco Talos reported that threat actor UAT-8616 had exploited CVE-2026-20127 and CVE-2022-20775 in the wild, with activity traced back to 2023. The Australian Signals Directorate, with Five Eyes partners, also published a hunting and tradecraft report on the campaign.
Mar 11, 2026
CISA issues second directive requiring hardening and rebuilds
On March 11, 2026, CISA followed up with a second emergency directive mandating additional hardening steps, key replacement, and full system rebuilds where root access may have been obtained. Agencies were also told to collect forensic artifacts, enable external log storage, and investigate for compromise.
Mar 11, 2026
Rapid7 publishes working exploit for CVE-2026-20127
A Rapid7 researcher released a working public exploit for CVE-2026-20127 on March 11, 2026. Researchers warned that the availability of a valid PoC could increase real-world exploitation attempts.
Mar 11, 2026
Cisco updates advisory to mark more SD-WAN flaws as exploited
After its initial February disclosures, Cisco updated its aggregate SD-WAN advisory to state that CVE-2026-20122 and CVE-2026-20128 were also being actively exploited. This expanded the set of known in-the-wild SD-WAN vulnerabilities beyond CVE-2026-20127.
Mar 3, 2026
Misattributed public PoC for CVE-2026-20127 is released
On March 3, 2026, a public exploit labeled as a PoC for CVE-2026-20127 was released by zerozenxlabs. VulnCheck later determined it did not exploit CVE-2026-20127, but instead chained CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to obtain credentials and upload a webshell.
Feb 27, 2026
Federal agencies face initial Cisco SD-WAN patch deadline
CISA's first directive required U.S. federal agencies to complete initial software updates for affected Cisco SD-WAN systems by February 27, 2026. This marked the first mandatory remediation deadline in the government's response.
Feb 25, 2026
CISA issues first emergency directive for Cisco SD-WAN flaw
On February 25, 2026, CISA issued an emergency directive after discovering exploitation of Cisco Catalyst SD-WAN vulnerabilities in federal networks. The directive required agencies to begin urgent remediation of affected systems.
Feb 25, 2026
Cisco discloses six Catalyst SD-WAN Manager vulnerabilities
Cisco disclosed six vulnerabilities affecting Catalyst SD-WAN Manager on February 25, 2026, including the critical authentication bypass flaw CVE-2026-20127. The disclosures also covered additional SD-WAN Manager issues later tracked in Cisco's aggregate advisory.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Cisco SD-WAN Zero-Day Exploited to Add Rogue Peers and Gain Persistent Root Access
Cisco and multiple government cyber agencies warned that attackers are actively exploiting **CVE-2026-20127**, a critical `CVSS 10.0` authentication bypass in **Cisco Catalyst SD-WAN Controller** and **Catalyst SD-WAN Manager**. The flaw affects the peering authentication process and lets unauthenticated remote attackers gain administrative access, use `NETCONF`, and alter SD-WAN fabric configuration, including adding **malicious rogue peers**. Cisco Talos attributed the activity to a sophisticated cluster tracked as **UAT-8616**, with evidence suggesting exploitation dates back to at least 2023 and has affected high-value targets, including critical infrastructure and government networks. Investigators said the intrusions often continued with a downgrade of the appliance software to exploit **CVE-2022-20775** for **root** privilege escalation, after which the original version was restored to help conceal the compromise while maintaining persistence. In response, **CISA** added both CVEs to the **Known Exploited Vulnerabilities** catalog and issued **Emergency Directive 26-03** for U.S. federal civilian agencies, while the **UK NCSC**, **ACSC**, **Canadian Centre for Cyber Security**, and other partners released joint hunting and hardening guidance. Cisco said there are **no complete workarounds**, urged immediate upgrades to fixed releases, and advised defenders to review peering events, SSH key activity, version history, and logs for signs of tampering or unauthorized access.
1 weeks ago
Active Exploitation of Cisco SD-WAN Vulnerabilities Beyond CVE-2026-20127
Researchers warned that defenders may be underestimating the risk from **Cisco SD-WAN** flaws beyond the widely publicized zero-day `CVE-2026-20127`, particularly **`CVE-2026-20133`**, a high-severity issue tied to inadequate file system access restrictions. VulnCheck reported that public attention and detection efforts have focused too narrowly on `CVE-2026-20127`, even though proof-of-concept activity attributed to that bug appears to affect other vulnerabilities, including `CVE-2026-20133`, `CVE-2026-20128`, and `CVE-2026-20122`. Defused researchers said their telemetry supports that assessment, indicating that `CVE-2026-20127` is generating heavy automated noise while activity involving `CVE-2026-20133`, if present, is likely quieter and easier to miss. Broader reporting indicates the SD-WAN issue is part of a larger pattern of **active exploitation across Cisco edge infrastructure**, with multiple recently disclosed SD-WAN and firewall vulnerabilities already exploited in the wild. CyberScoop reported that five of nine Cisco flaws disclosed across firewalls and SD-WAN systems in recent weeks have seen exploitation, including two SD-WAN zero-days abused for years before discovery and three additional SD-WAN defects later confirmed under attack. The reporting also noted exploitation of a maximum-severity Cisco firewall management flaw by **Interlock ransomware**, underscoring that attackers are targeting management-plane and control-plane weaknesses in network-edge products that often serve as enterprise trust anchors.
1 weeks ago
Actively Exploited Critical Vulnerabilities in Cisco Secure Firewall and Catalyst SD-WAN Manager
Belgium’s CCB (Safeonweb) warned of **multiple critical vulnerabilities** across several **Cisco** products—specifically calling out **Cisco Secure Firewall** (including *Adaptive Security Appliance (ASA)*, *Firepower Management Center (FMC)*, and *Firepower Threat Defense (FTD)*) and **Cisco Catalyst SD-WAN Manager**—and stated that **some vulnerabilities are being actively exploited**, urging immediate patching. The advisory lists a broad set of weakness classes including **authentication bypass** (`CWE-288`/`CWE-287`), **deserialization of untrusted data** (`CWE-502`), **buffer overflow** (`CWE-120`), **SQL injection** (`CWE-89`), and **sensitive information exposure** (`CWE-200`), and highlights multiple CVEs including **CVE-2026-20079** and **CVE-2026-20131** with **CVSS 10.0**. A separate advisory from the Center for Internet Security (CIS) also reported **multiple vulnerabilities in Cisco products** that could enable **remote code execution**, enumerating a large set of related CVEs (including **CVE-2026-20001**, **CVE-2026-20002**, **CVE-2026-20003**, and **CVE-2026-20039**). Taken together, the advisories indicate a high-risk patching priority for organizations running affected Cisco network/security management and firewall platforms, particularly where internet exposure or untrusted management-plane access could make exploitation more likely.
1 months ago