Critical Cisco SD-WAN Zero-Day Vulnerability Exploited Since 2023
A critical security vulnerability, identified as CVE-2026-20127, has been discovered in Cisco’s Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage). This flaw has been actively exploited by a sophisticated cyber threat actor, designated UAT-8616, since at least 2023. The vulnerability allows unauthenticated remote attackers to bypass authentication mechanisms and gain administrative privileges on affected systems by sending specially crafted requests.
Technical Details:
The root cause of CVE-2026-20127 lies in the improper functioning of the peering authentication mechanism within the affected systems. By exploiting this flaw, attackers can log in as high-privileged, non-root internal users. This access enables them to utilize the Network Configuration Protocol (NETCONF) to manipulate the network configuration of the SD-WAN fabric, potentially leading to unauthorized changes and disruptions.
Affected Deployments:
The vulnerability impacts various deployment types, regardless of device configuration, including:
– On-Premises Deployments
– Cisco Hosted SD-WAN Cloud
– Cisco Hosted SD-WAN Cloud – Cisco Managed
– Cisco Hosted SD-WAN Cloud – FedRAMP Environment
Discovery and Attribution:
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) reported the vulnerability to Cisco. Cisco’s security team has been tracking the exploitation activities under the identifier UAT-8616, describing the group as a highly sophisticated cyber threat actor. Evidence suggests that the malicious activities associated with this vulnerability date back to at least 2023.
Exploitation Techniques:
After gaining initial access through CVE-2026-20127, attackers have been observed employing the following techniques:
– Software Downgrade and Privilege Escalation: Utilizing the system’s update mechanism to downgrade software versions, thereby exposing the system to previously patched vulnerabilities.
– Exploitation of CVE-2022-20775: A high-severity privilege escalation vulnerability in the Command Line Interface (CLI) of Cisco SD-WAN Software, allowing attackers to escalate privileges to root.
– Restoration of Original Software Version: After achieving root access, attackers restore the software to its original version to evade detection.
Post-Compromise Activities:
Following successful exploitation, the threat actor has been known to:
– Create Local User Accounts: Establishing accounts that mimic legitimate users to maintain persistence.
– Modify Startup Scripts: Altering SD-WAN-related startup scripts to customize the environment for malicious activities.
– Utilize NETCONF and SSH: Connecting to and between Cisco SD-WAN appliances within the management plane to further their control.
– Evidence Removal: Clearing logs and command histories to eliminate traces of their intrusion.
Mitigation and Recommendations:
Cisco has released software updates to address CVE-2026-20127. Organizations are strongly advised to:
– Update Affected Systems: Apply the latest patches to mitigate the vulnerability.
– Audit Logs: Review the /var/log/auth.log file for entries indicating unauthorized access attempts, such as Accepted publickey for vmanage-admin from unknown IP addresses.
– Verify System IPs: Cross-reference IP addresses in the auth.log file against configured System IPs listed in the Cisco Catalyst SD-WAN Manager web UI.
– Implement Security Best Practices: Follow Cisco’s Catalyst SD-WAN Hardening Guide to enhance the security posture of SD-WAN deployments.
Conclusion:
The exploitation of CVE-2026-20127 underscores the critical importance of timely vulnerability management and the need for organizations to remain vigilant against sophisticated cyber threats. By promptly applying patches and adhering to recommended security practices, organizations can mitigate the risks associated with this vulnerability and protect their network infrastructures.
