Cisco SD-WAN Zero-Day Exploited Since 2023 Prompts CISA Alert

A critical authentication bypass vulnerability in Cisco Catalyst SD-WAN has been exploited by a sophisticated threat actor for roughly three years before public disclosure. CVE-2026-20127 carries a maximum CVSS score of 10.0 and allows unauthenticated remote attackers to gain administrative privileges on affected systems.

The flaw affects Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in both on-premises and cloud deployments. CISA issued Emergency Directive 26-03 today, giving Federal Civilian Executive Branch agencies until 5:00 PM ET on February 27 to apply patches—one of the shortest remediation windows the agency has ever mandated.

How the Attack Works

According to Cisco's security advisory, the vulnerability exists in the peering authentication mechanism of affected systems. An attacker can exploit it by sending crafted requests to a vulnerable SD-WAN controller, bypassing authentication entirely to log in as a high-privileged internal user account.

From there, the attacker gains access to NETCONF, which controls the entire SD-WAN fabric's network configuration. This means they can add rogue peers, manipulate routing, and establish persistent access across an organization's distributed network infrastructure.

Cisco Talos tracks the threat actor behind these attacks as UAT-8616. Their technical analysis reveals that attackers didn't stop at the initial compromise. After gaining access through CVE-2026-20127, they downgraded the software version to exploit an older vulnerability—CVE-2022-20775, a path traversal flaw—to escalate to root privileges. They then restored the original firmware to cover their tracks.

This technique mirrors what we've seen from other advanced threat actors tracked by Talos, including UAT-9921's campaigns against tech and finance sectors last month. The operational sophistication suggests either nation-state backing or a well-resourced criminal group.

Three Years in the Wild

Australia's Signals Directorate and Australian Cyber Security Centre discovered the vulnerability and disclosed it to Cisco. Talos telemetry indicates exploitation dates back to at least 2023, meaning attackers had roughly three years of access before any public disclosure.

The targets align with critical infrastructure—organizations running SD-WAN deployments to connect distributed sites, branch offices, and cloud resources. SD-WAN controllers sit at a critical chokepoint in enterprise networks, making them high-value targets for espionage and pre-positioning operations.

CISA didn't mince words in its guidance: the exploitation "poses an imminent threat to federal networks."

Detection and Indicators

Organizations should hunt for these signs of compromise:

• Unauthorized peering events in SD-WAN controller logs
• Unexpected user account creation or deletion
• Unaccounted SSH keys in /home/root/.ssh/authorized_keys
• Log truncation or clearing (syslog, wtmp, lastlog, bash_history)
• Path traversal artifacts containing /../../ or /\n&../\n&../

The indicators suggest attackers are actively cleaning up after themselves, which makes historical detection difficult without external log storage.

Remediation Requirements

CISA's emergency directive outlines a compressed timeline that reflects the severity. Federal agencies must:

By February 26 (11:59 PM ET):

• Complete a system inventory
• Configure external log storage
• Collect forensic artifacts including admin core dumps and /home directories

By February 27 (5:00 PM ET):

• Apply Cisco's patches for CVE-2026-20127 and CVE-2022-20775

By March 5:

• Submit detailed inventory and artifact collection results

By March 12:

• Complete network hardening measures per Cisco's guidelines

This builds on CISA's broader push to address network edge device risks. The agency's Binding Operational Directive 26-02 from earlier this month already required agencies to inventory and replace end-of-life edge equipment—a directive that looks increasingly prescient given today's disclosure.

Why This Matters

SD-WAN adoption has exploded over the past five years as organizations moved away from expensive MPLS links toward software-defined networking. Cisco commands a significant share of this market, particularly in federal government and critical infrastructure sectors.

A CVSS 10.0 vulnerability with three years of confirmed exploitation in these environments isn't just a patch-and-forget situation. Organizations need to assume compromise and hunt backward through their logs—or accept that the logs may have been tampered with.

For private sector organizations running Cisco Catalyst SD-WAN, the same urgency applies. No workarounds exist for CVE-2026-20127. The only remediation is patching, and given the sophistication of the attackers involved, the window for safe operation is already closed.

Check Cisco's security advisory for the specific fixed software versions and upgrade paths for your deployment. If you're running SD-WAN in any critical environment, treat this as a drop-everything priority.