Cisco SD-WAN Zero-Day Under Active Exploitation

KoreWealth

3/3/20263 min read

A critical zero-day vulnerability in Cisco's Catalyst SD-WAN systems has been under active exploitation since at least 2023, allowing sophisticated attackers to gain unauthorized administrative access and establish long-term persistence in affected networks. Disclosed on February 25, 2026, the flaw—tracked as CVE-2026-20127 (CVSS score: 10.0)—poses a severe risk to organizations relying on Cisco's software-defined wide area networking (SD-WAN) infrastructure for secure, scalable connectivity.

This incident has triggered urgent alerts from Cisco, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international partners including the NSA, Australian Cyber Security Centre (ASD-ACSC), and others in the Five Eyes alliance.

What is CVE-2026-20127?

CVE-2026-20127 is an authentication bypass vulnerability in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly known as vSmart) and Manager (formerly vManage). These components form the core control and management plane of Cisco SD-WAN deployments, handling orchestration, policy enforcement, and centralized management.The flaw stems from improper validation during the establishment of trust relationships between SD-WAN components. An unauthenticated remote attacker can exploit it by sending specially crafted requests to an exposed system. Successful exploitation grants login access as an internal, high-privileged (non-root) user account, effectively bypassing normal authentication controls.
No workarounds exist—patching is the only remediation. Cisco has released fixed software versions across supported releases (e.g., specific patches for 20.9, 20.12, 20.15, and later branches, with some older versions requiring migration).

Exploitation Details and Attack Chain

Attackers exploit CVE-2026-20127 for initial access by adding a rogue peer—an attacker-controlled device that appears as a legitimate, trusted component in the SD-WAN management plane (often in VPN 512). This rogue peer receives an IP address and can interact with other control-plane devices as if authorized.Post-exploitation tactics include:

Downgrading the software version on the compromised controller to one vulnerable to a known local privilege escalation flaw (CVE-2022-20775, a 2022 path traversal issue allowing root access).
Exploiting CVE-2022-20775 to gain root privileges.
Restoring the original software version to erase obvious signs of the downgrade.
Establishing persistence via methods like adding SSH authorized keys for root, creating mimic local accounts, modifying startup scripts, or re-exploiting the zero-day for interactive sessions.

No outbound malware or C2 infrastructure was observed—attackers rely on living-off-the-land techniques within the SD-WAN environment. Lateral movement appears confined to the management plane; no evidence of broader network pivoting has been publicly reported.
Cisco Talos tracks this activity cluster as UAT-8616, describing it as a highly sophisticated threat actor. Exploitation evidence dates back to 2023, with activity continuing undetected for years due to stealthy tradecraft and minimal forensic footprints.

Response from Authorities and Cisco

February 25, 2026: Cisco published security advisories for CVE-2026-20127 and related flaws in SD-WAN Manager.
CISA added both CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) catalog.
CISA issued Emergency Directive 26-03, mandating Federal Civilian Executive Branch (FCEB) agencies to inventory SD-WAN systems, patch immediately (deadlines as early as February 26–27, 2026), collect forensic artifacts, and hunt for compromise.
A joint Cisco SD-WAN Threat Hunt Guide (co-authored by NSA, ASD-ACSC, CISA, and others) details indicators of compromise (IOCs), detection rules (e.g., anomalous peering events, downgrade logs, rogue SSH keys), and hardening steps like isolating management interfaces, enforcing centralized logging, and applying network perimeter controls.
Cisco recommends its SD-WAN Hardening Guide, including firewalling control components, replacing self-signed certificates, and limiting session timeouts.

Why This Matters

SD-WAN deployments are widespread in enterprises, governments, and critical infrastructure for optimizing branch connectivity, cloud access, and security. Compromising the control plane grants attackers deep visibility and manipulation capabilities over network traffic routing, policies, and configurations—potentially enabling data exfiltration, disruption, or further foothold establishment.

While no specific victims have been named publicly, the global scope, long duration, and sophistication suggest targeting of high-value organizations. With patches now available, mass exploitation could increase if proof-of-concept code emerges.

Recommendations for Organizations

Immediately inventory all Cisco Catalyst SD-WAN Controller and Manager instances (on-prem, cloud-hosted, or managed).
Apply patches to the latest fixed releases without delay—check Cisco's advisory for your version.
Hunt for compromise using the joint Threat Hunt Guide: look for rogue peers, version downgrade artifacts, anomalous logins, unauthorized SSH keys, and suspicious system changes.
Harden configurations: Isolate management interfaces (VPN 512), forward logs to a central SIEM, enforce strict access controls, and follow Cisco's hardening recommendations.
Monitor continuously: Enable detailed logging and anomaly detection for peering events and privilege changes.

This zero-day highlights the persistent risks in network edge and management technologies. Organizations using Cisco SD-WAN should treat this as a high-priority incident response trigger—even if no indicators are immediately visible, proactive hunting is essential given the multi-year exploitation window.

For the latest updates, refer to official sources:

Cisco Security Advisory: cisco-sa-sdwan-rpa-EHchtZk
CISA Alert and Directive: cisa.gov alerts
Joint Threat Hunt Guide (PDF): Available via ASD-ACSC or NSA sites.

Stay vigilant—patching alone may not suffice if compromise occurred years ago. If your organization is affected, engage incident response experts promptly.