Critical Cisco SD-WAN Zero-Day Vulnerability Exploited Since 2023 to Gain Root Access
Cisco has recently disclosed a critical zero-day vulnerability in its Catalyst SD-WAN products, identified as CVE-2026-20127. This flaw has been actively exploited by threat actors since 2023, allowing them to bypass authentication mechanisms and gain root access to affected systems. The vulnerability affects core networking components, prompting an urgent need for patching to mitigate ongoing attacks.
Vulnerability Details
CVE-2026-20127 arises from a flaw in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). An unauthenticated remote attacker can send specially crafted requests to bypass authentication checks, effectively logging in as a high-privileged, non-root internal user. This unauthorized access enables the attacker to manipulate the Network Configuration Protocol (NETCONF), allowing changes to the entire SD-WAN fabric’s network configuration. Such changes can include adding rogue peers or altering routing paths, potentially leading to significant network disruptions.
The vulnerability carries a CVSS v3.1 base score of 10.0, categorizing it as critical. The attack vector is network-based, with low complexity, requiring no privileges or user interaction. It impacts both on-premises deployments and Cisco-hosted SD-WAN Cloud environments, including standard, managed, and FedRAMP setups. Cisco released patches on February 25, 2026, but confirmed that no workarounds exist, emphasizing the necessity for immediate action.
Exploitation Timeline
Active exploitation of this vulnerability dates back to at least 2023. Cisco Talos, the company’s threat intelligence division, discovered in-the-wild zero-day use and tracks the campaign as UAT-8616. This campaign is linked to post-compromise persistence in high-value targets, such as critical infrastructure. Attackers have been observed adding malicious rogue peers to configurations, enabling long-term network access.
After bypassing authentication, attackers reportedly downgraded software versions to exploit CVE-2022-20775, a path-traversal flaw, for root escalation. They then restored the original software versions to evade detection. This sophisticated chain of attacks highlights the advanced tactics employed by threat actors targeting network edge devices to establish a foothold within organizations. Incidents reported by intelligence partners confirm the compromise of internet-exposed management and control planes.
Cisco Talos attributes these attacks to UAT-8616, assessed as a highly sophisticated actor with high confidence. The group focuses on SD-WAN systems to maintain persistent access in critical sectors, continuing a trend of targeting edge devices. While no public Indicators of Compromise (IOCs) have been detailed yet, hunt guides from partners emphasize the importance of checking peer configurations and version histories.
Affected Products and Fixed Versions
The following Cisco SD-WAN products are affected by CVE-2026-20127:
– SD-WAN Controller (vSmart): Versions 20.3.1 through 20.14.3, and 20.15.1.
– SD-WAN Manager (vManage): Versions 20.3.1 through 20.14.3, and 20.15.1.
Cisco has released fixed versions to address the vulnerability:
– SD-WAN Controller (vSmart): Version 20.14.4 and 20.15.2.
– SD-WAN Manager (vManage): Version 20.14.4 and 20.15.2.
Mitigation Steps
Organizations are urged to take the following steps to mitigate the risk associated with CVE-2026-20127:
1. Apply Patches Immediately: Implement the Cisco patches released on February 25, 2026, to address the vulnerability.
2. Inventory SD-WAN Deployments: Conduct a thorough inventory of all SD-WAN deployments, with a focus on internet-facing controllers.
3. Scan for Rogue Peers: Use the command `show sdwan omp peers detail` via the Command Line Interface (CLI) to identify any unauthorized peers.
4. Review NETCONF Sessions: Audit NETCONF logs for any anomalies that may indicate unauthorized access or configuration changes.
5. Enable Logging: Activate logging for authentication failures and version changes to detect potential exploitation attempts.
6. Reset Compromised Configurations: If unauthorized changes are detected, reset the compromised configurations to their original state.
7. Restrict Management Plane Access: Implement access controls to limit exposure of the management plane to trusted networks only.
8. Monitor for Unauthorized Peers: Continuously monitor the network for the addition of unauthorized peers or other suspicious activities.
Organizations in critical infrastructure sectors should prioritize these checks, as UAT-8616 seeks enduring persistence within such environments. The broader adoption of zero-trust security models for edge devices can help counteract such sophisticated threats.
Regulatory Actions
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities Catalog as of February 25, 2026. Emergency Directive 26-03 mandates that Federal Civilian Executive Branch (FCEB) agencies inventory SD-WAN systems, apply patches within 21 days, and hunt for indicators of compromise. Similarly, the Australian Cyber Security Centre and the Canadian Cyber Centre have issued alerts noting real-world instances of rogue peer additions.
Conclusion
The disclosure of CVE-2026-20127 underscores the critical importance of promptly addressing vulnerabilities in network infrastructure. The active exploitation of this flaw since 2023 highlights the persistent threats targeting SD-WAN systems. Organizations must act swiftly to apply patches, review configurations, and implement robust monitoring to safeguard against unauthorized access and potential network disruptions.
