Critical Cisco SD-WAN Zero-Day Vulnerability Exploited in the Wild: PoC Released
A critical zero-day vulnerability, identified as CVE-2026-20127, has been discovered in Cisco’s Catalyst SD-WAN Controller and SD-WAN Manager. This flaw has been actively exploited since at least 2023, allowing unauthenticated remote attackers to bypass authentication mechanisms and gain administrative access to affected systems.
Vulnerability Overview
The root cause of CVE-2026-20127 lies in a malfunctioning peering authentication mechanism within the affected Cisco SD-WAN systems. By sending specially crafted HTTP requests to the SD-WAN Controller’s REST API, attackers can completely bypass the login process, obtaining administrative sessions without valid credentials. This vulnerability has been assigned a CVSS v3.1 base score of 10.0, indicating its critical severity.
Exploitation Details
Cisco Talos has been tracking the threat activity associated with this vulnerability under the cluster UAT-8616, describing it as a highly sophisticated cyber threat actor targeting critical infrastructure globally. The attack chain observed includes several stages:
1. Initial Access: Exploitation of CVE-2026-20127 to gain high-privileged, non-root administrative access, followed by the addition of a rogue peer device to the SD-WAN management/control plane.
2. Privilege Escalation: Deliberate downgrading of the software version to reintroduce the older CVE-2022-20775 flaw, allowing escalation to full root access.
3. Version Restoration: Restoration of the system to its original software version to erase forensic evidence of the downgrade.
4. Persistence: Addition of unauthorized SSH keys to `/home/root/.ssh/authorized_keys`, modification of the `sshd_config` file to set `PermitRootLogin yes`, and alteration of SD-WAN startup scripts.
5. Lateral Movement: Utilization of NETCONF (port 830) and SSH to pivot between SD-WAN appliances and manipulate the entire fabric configuration.
6. Cover-Up: Clearing of logs, including `syslog`, `bash_history`, `wtmp`, `lastlog`, and logs under `/var/log/`, to remove traces of the intrusion.
Proof-of-Concept Exploit Released
A public proof-of-concept (PoC) exploit for CVE-2026-20127 has been released by zerozenxlabs on GitHub. The PoC includes a working Python exploit script, a JSP webshell (`cmd.jsp`), and a deployable WAR file, significantly lowering the barrier for other threat actors to weaponize this critical flaw.
Recommendations and Mitigation
Cisco Talos urges administrators to immediately audit control connection peering events in SD-WAN logs for unauthorized vManage peer connections, unexpected source IPs, and anomalous timestamps. Any log entries indicating rogue peer additions, SSH key modifications, or version downgrade/upgrade cycles should be treated as high-fidelity indicators of compromise.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20127 to its Known Exploited Vulnerabilities (KEV) catalog and mandated urgent patching for federal agencies. Organizations using Cisco Catalyst SD-WAN are strongly advised to apply patches immediately, review the security advisory, and follow the Australian Cyber Security Centre’s SD-WAN Threat Hunting Guide to check for potential compromise.
