Active Exploitation of Cisco SD-WAN Vulnerabilities Beyond CVE-2026-20127
Researchers warned that defenders may be underestimating the risk from Cisco SD-WAN flaws beyond the widely publicized zero-day CVE-2026-20127, particularly CVE-2026-20133, a high-severity issue tied to inadequate file system access restrictions. VulnCheck reported that public attention and detection efforts have focused too narrowly on CVE-2026-20127, even though proof-of-concept activity attributed to that bug appears to affect other vulnerabilities, including CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. Defused researchers said their telemetry supports that assessment, indicating that CVE-2026-20127 is generating heavy automated noise while activity involving CVE-2026-20133, if present, is likely quieter and easier to miss.
Broader reporting indicates the SD-WAN issue is part of a larger pattern of active exploitation across Cisco edge infrastructure, with multiple recently disclosed SD-WAN and firewall vulnerabilities already exploited in the wild. CyberScoop reported that five of nine Cisco flaws disclosed across firewalls and SD-WAN systems in recent weeks have seen exploitation, including two SD-WAN zero-days abused for years before discovery and three additional SD-WAN defects later confirmed under attack. The reporting also noted exploitation of a maximum-severity Cisco firewall management flaw by Interlock ransomware, underscoring that attackers are targeting management-plane and control-plane weaknesses in network-edge products that often serve as enterprise trust anchors.
Timeline
Apr 21, 2026
CISA adds Cisco SD-WAN flaw CVE-2026-20133 to KEV catalog
CISA added Cisco Catalyst SD-WAN Manager vulnerability CVE-2026-20133 to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. The agency ordered Federal Civilian Executive Branch agencies to secure affected systems by 2026-04-24 and follow Emergency Directive 26-03 and Cisco hardening guidance.
Apr 20, 2026
CISA adds CVE-2026-20128 and CVE-2026-20122 to KEV catalog
CISA added Cisco Catalyst SD-WAN Manager flaws CVE-2026-20128 and CVE-2026-20122 to its Known Exploited Vulnerabilities catalog after Cisco confirmed active exploitation. Federal agencies were given a remediation deadline in late April 2026, expanding U.S. government response beyond CVE-2026-20133 alone.
Mar 18, 2026
Researchers warn CVE-2026-20133 may be the more urgent SD-WAN threat
VulnCheck assessed that the high-severity Cisco Catalyst SD-WAN flaw CVE-2026-20133 may pose a greater immediate risk than the more publicized zero-day CVE-2026-20127. Defused researchers also said vulnerable SD-WAN devices were being targeted through multiple avenues and that CVE-2026-20133 exploitation may be quieter and easier to miss.
Mar 18, 2026
Researchers identify misattributed PoC affecting other Cisco flaws
VulnCheck reported that a proof-of-concept published by ZeroZenX Labs for CVE-2026-20127 did not actually target that zero-day, but instead affected CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. The finding suggested defenders may be misjudging which SD-WAN vulnerabilities are most urgent.
Mar 18, 2026
Cisco discloses multiple SD-WAN and firewall vulnerabilities
Cisco recently disclosed nine vulnerabilities affecting SD-WAN and firewall management products, with five later confirmed as exploited in the wild. The disclosures included the zero-day CVE-2026-20127 and other SD-WAN flaws such as CVE-2026-20133.
Feb 28, 2026
Cisco patches three Catalyst SD-WAN Manager flaws
Cisco released fixes in late February 2026 for CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 affecting Catalyst SD-WAN Manager. The vulnerabilities were later cited by CISA as actively exploited or included in its Known Exploited Vulnerabilities catalog.
Feb 25, 2026
CISA orders federal agencies to assess and patch Cisco SD-WAN Manager
CISA issued an emergency directive requiring federal executive branch agencies to assess and patch Cisco SD-WAN Manager systems after concerns about active exploitation. The directive elevated the urgency of the Cisco SD-WAN vulnerability situation for U.S. government networks.
Jan 26, 2026
Attackers begin exploiting Cisco firewall management flaw
Amazon Threat Intelligence said the Interlock ransomware group started exploiting a maximum-severity Cisco firewall management vulnerability before it was publicly disclosed. The exploitation reportedly began on January 26 and targeted firewall management infrastructure.
Mar 18, 2023
Cisco SD-WAN zero-days were exploited for years before disclosure
Two Cisco SD-WAN zero-day vulnerabilities were reportedly exploited in the wild for at least three years before Cisco disclosed them. This indicates long-running attacker access to SD-WAN management or control-plane systems prior to public awareness.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
2 more from sources like cybersecurity dive and sdxcentral cybersecurity
Related Stories
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
1 months ago
Cisco SD-WAN Zero-Day Exploited to Add Rogue Peers and Gain Persistent Root Access
Cisco and multiple government cyber agencies warned that attackers are actively exploiting **CVE-2026-20127**, a critical `CVSS 10.0` authentication bypass in **Cisco Catalyst SD-WAN Controller** and **Catalyst SD-WAN Manager**. The flaw affects the peering authentication process and lets unauthenticated remote attackers gain administrative access, use `NETCONF`, and alter SD-WAN fabric configuration, including adding **malicious rogue peers**. Cisco Talos attributed the activity to a sophisticated cluster tracked as **UAT-8616**, with evidence suggesting exploitation dates back to at least 2023 and has affected high-value targets, including critical infrastructure and government networks. Investigators said the intrusions often continued with a downgrade of the appliance software to exploit **CVE-2022-20775** for **root** privilege escalation, after which the original version was restored to help conceal the compromise while maintaining persistence. In response, **CISA** added both CVEs to the **Known Exploited Vulnerabilities** catalog and issued **Emergency Directive 26-03** for U.S. federal civilian agencies, while the **UK NCSC**, **ACSC**, **Canadian Centre for Cyber Security**, and other partners released joint hunting and hardening guidance. Cisco said there are **no complete workarounds**, urged immediate upgrades to fixed releases, and advised defenders to review peering events, SSH key activity, version history, and logs for signs of tampering or unauthorized access.
1 weeks ago
Internet-Scale Scanning and Exploitation Pressure on Edge Network Devices (Cisco SD-WAN, SonicWall SSL VPN)
Security monitoring and reporting highlighted escalating attacker focus on internet-exposed edge infrastructure, including **active exploitation** of a maximum-severity Cisco SD-WAN flaw and **large-scale reconnaissance** against SonicWall firewalls. Cisco disclosed **CVE-2026-20127** (CVSS 10.0) affecting *Cisco Catalyst SD-WAN Controller* (vSmart) and *Catalyst SD-WAN Manager* (vManage), describing in-the-wild exploitation dating back to 2023 that enables **unauthenticated authentication bypass** leading to **administrative privileges** via crafted requests; Cisco attributes discovery to **ASD-ACSC** and tracks related activity as **UAT-8616**. Separately, GreyNoise-tracked activity showed a coordinated scanning campaign against **SonicWall SonicOS** devices using **4,000+ unique IPs** to enumerate targets—primarily probing a SonicOS **REST API endpoint** used to determine whether **SSL VPN** is enabled (a common precursor to follow-on credential attacks and exploitation). The campaign generated **84,142 scanning sessions** over a four-day window and was assessed as a continuation/escalation of similar late-2025 scanning that targeted both Palo Alto and SonicWall VPN infrastructure, reinforcing the likelihood of an impending exploitation wave against exposed and unpatched perimeter devices.
1 months ago