Cybersecurity News Kinetic Potential

Cisco Patches Catalyst SD-WAN Zero-Day Exploited by Highly Sophisticated Hackers

Thu, 02/26/2026 - 09:50 / 0 Comments

Cisco on Wednesday rolled out emergency patches for a critical Catalyst SD-WAN zero-day vulnerability that has been exploited in the wild.

Tracked as CVE-2026-20127 (CVSS score of 10/10), the flaw can be exploited remotely to bypass authentication and obtain administrative privileges on a vulnerable device.

The issue affects the peering authentication mechanism of Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Catalyst SD-WAN Manager (formerly SD-WAN vManage), allowing unauthenticated, remote attackers to send crafted requests.

Successful exploitation results in the attacker logging in as “an internal, high-privileged, non-root user account”, Cisco explains in its advisory.

“Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric,” the company notes.

The security defect was addressed with the release of Cisco Catalyst SD-WAN versions 20.12.6.1, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1. Patches will also be included in version 20.9.8.2, expected to be released on Friday.

Cisco says it is aware of the limited exploitation of the vulnerability and has released indicators of compromise (IoCs) to help organizations hunt for malicious activity targeting internet-exposed Catalyst SD-WAN systems.

On Wednesday, the US cybersecurity agency CISA added the zero-day and an older Cisco Catalyst SD-WAN bug, CVE-2022-20775, to its Known Exploited Vulnerabilities (KEV) catalog and issued Emergency Directive 26-03, urging federal agencies to patch both within two days.

CVE-2022-20775, disclosed in September 2022, is a high-severity path traversal issue that allows an authenticated attacker to execute arbitrary commands with root privileges.

CISA and peer agencies in Five Eyes countries say that threat actors have chained the two flaws to bypass authentication, escalate privileges, and establish persistence on Catalyst SD-WAN systems.

The attacks were attributed by Cisco Talos to UAT-8616, a “highly sophisticated cyber threat actor” that has been active since at least 2023. After adding an administrative account to vulnerable systems, the adversary downgraded the software to a version vulnerable to CVE-2022-20775 and achieved persistence as root, the Five Eyes agencies explain (PDF).

Talos has not linked the attack to a known threat group or a specific country, but it recently warned about a China-nexus group identified as UAT-9686 exploiting a Cisco product zero-day tracked as CVE-2025-20393.

ED 26-03 mandates that all in-scope agencies immediately inventory Catalyst SD-WAN systems and ensure they store logs externally, collect specific artefacts, and update them to patched software releases.

On Wednesday, Cisco also announced fixes for five Catalyst SD-WAN Manager flaws, including a critical-severity authentication bypass impacting the API user authentication mechanism, and for nine high- and medium-severity bugs in other products, but said it was not aware of any of them being exploited in the wild.

This article was published by Security Week. Please check their website for the original content.

Add new comment

About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
12 + 8 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Share The Story


Stay informed - subscribe to our newsletter.
The subscriber's email address.

Recent Posts