Cisco announced today that a critical zero-day vulnerability in its Catalyst SD-WAN Controller has been actively exploited for at least three years.
The flaw, identified as CVE-2026-20127, is characterized as an authentication bypass vulnerability with a maximum CVSS score of 10. This means that an attacker can send specially crafted requests to vulnerable systems and gain access to the controllers as a high-privileged, non-root user. This information was detailed in Cisco's security advisory.
In its disclosure, Cisco mentioned that there has been "limited exploitation" of this vulnerability. On the same day, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive mandating that federal civilian executive branch (FCEB) agencies patch both CVE-2026-20127 and an older Catalyst SD-WAN flaw, CVE-2022-20775, by the end of the week. Typically, CISA provides a two-week window for FCEB agencies to address vulnerabilities that have been exploited, but emergency directives allow for quicker action on higher-risk flaws.
The situation escalated when Cisco Talos published a blog post revealing that exploitation of CVE-2026-20127 has been occurring since at least 2023. The post referenced a 41-page threat hunting guide produced by the Australian Signals Directorate and co-authored by CISA, the US National Security Agency (NSA), and other international partners.
According to the guide, investigations conducted by intelligence partners indicated that the actor likely escalated their privileges to root user status through a software version downgrade. Following this, they reportedly exploited CVE-2022-20775 before reverting to the original software version, effectively gaining root access.
Cisco Talos researchers are tracking the exploitation and subsequent activities under the designation UAT-8616, which they describe as a highly sophisticated cyber threat actor. However, the identity of UAT-8616, as well as the networks they compromised, remain unclear.
The Mystery of UAT-8616
The threat hunting guide indicates that international intelligence agencies determined that at least one threat actor had compromised Cisco SD-WANs, previously known as SD-WAN vSmart, since 2023. The source of these compromises was identified as CVE-2026-20127 in late 2025.
The agencies did not specify which organizations were breached or how many victims were affected by UAT-8616's activities. However, all observed activities were limited to SD-WAN components, with no evidence of lateral movement outside these systems or the presence of command-and-control (C2) malware.
The guide detailed that the exploitation of CVE-2026-20127 enabled the threat actor to add a rogue peer to the Cisco SD-WAN management and control plane. This rogue peer is essentially an unauthorized actor that is now trusted within the SD-WAN network management system.
The threat actor employed the built-in update mechanism to downgrade a vSmart controller to a version that had known local privilege escalation vulnerabilities, including CVE-2022-20775. After downgrading, they exploited CVE-2022-20775 and created local accounts for persistence.
According to the guide, the actor likely used a publicly available proof of concept exploit for this CVE to execute commands as the root user.
The identity of UAT-8616 remains elusive, largely due to the lack of evidence left behind. Scott Caveza, a senior staff research engineer at Tenable, noted that Cisco vulnerabilities have been popular targets for state-sponsored groups.
Caveza emphasized the importance of immediate action to remediate these vulnerabilities, citing that nation-state actors, including those linked to the Salt Typhoon and Volt Typhoon campaigns, have a history of exploiting Cisco devices.
Mitigating CVE-2026-20127
Cisco Talos highlighted the exploitation of CVE-2026-20127 as part of a broader pattern of behavior among threat actors in recent years. They noted that UAT-8616's attempts at exploitation indicate an ongoing trend of targeting network edge devices by cyber threat actors seeking to establish footholds in high-value organizations, including those in Critical Infrastructure sectors.
Cisco strongly urged its customers to update their Catalyst SD-WAN Controllers to a fixed version promptly and to restrict access to these instances from unsecured networks, such as the public Internet. They warned that systems exposed to the Internet with open ports are particularly at risk of compromise.
In addition, Cisco recommended that organizations disable HTTP access for the Catalyst SD-WAN Manager web UI administrator portal and change default administrator passwords to more secure alternatives.
To detect potential compromises, intelligence agencies advised customers to examine their controllers for signs of rogue peering, version downgrades, and unexpected reboots. The threat hunting guide also suggested employing firewalls to protect SD-WAN controllers, enabling centralized logging, and using the "golden star" version of the software to ensure the implementation of current security features.
