Cisco warns of critical SD-WAN security flaw which has been open since 2023

News
By published

Maximum-severity Cisco flaw is being actively abused

Avast cybersecurity
(Image credit: Avast)
  • Cisco Catalyst SD-WAN zero-day (CVE-2026-20127) being exploited since 2023
  • Flaw allowed attackers to add rogue peers and manipulate network configs
  • CISA added bug to KEV catalog, ordering urgent patching; linked to threat group UAT-8616

“Highly sophisticated” threat actors have reportedly been exploiting a zero-day vulnerability in Cisco Catalyst SD-WAN for over two years, the company has revealed.

Cisco’s cybersecurity arm, Talos, released a new report saying it observed a critical authentication vulnerability being actively exploited by crooks that used it to compromise controllers and add malicious rogue peers to target networks.

The vulnerability is now tracked as CVE-2026-20127 and carries a maximum severity score - 10/10 (critical).

CISA adds it to KEV

The National Vulnerability Database (NVD) says the bug exists “because the peering authentication mechanism in an affected system is not working properly”, allowing malicious actors to send crafted requests to exploit it.

“A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric,” it explained.

The Talos report claims a group tracked as UAT-8616 was the one abusing it, since at least 2023. The attacks apparently started by downgrading the SD-WAN solution to an older, vulnerable version, and then using it to gain root access. After breaking in, the crooks would restore the original firmware version to cover their tracks.

On Wednesday, the US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its KEV catalog, confirming reports of in-the-wild abuse, and giving Federal Civilian Executive Branch (FCEB) agencies just two days to patch up or stop using the product entirely. Usually, CISA gives FCEB agencies three weeks to respond, but in this case, it was said the bug poses a major threat.

UAT-8616 appears to be a newly named threat cluster, since there is no separate public record of this actor being tied to previous, distinct attacks under the same name.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.