Since at least 2023, sophisticated threat actors have been actively using a critical zero-day vulnerability in Cisco's Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) to get around authentication and take over at the root level This article explores vulnerability cisco catalyst. . Vulnerability Overview This vulnerability, which is being tracked as CVE-2026-20127 (Advisory ID: cisco-sa-sdwan-rpa-EHchtZk), is caused by improper peering authentication (CWE-287).

In order to get around controls and log in as a high-privileged, non-root internal user, an unauthenticated remote attacker can send crafted requests. Attackers then use NETCONF to change SD-WAN fabric settings, which can either enable persistence or cause network disruptions. According to Cisco Talos, an advanced cyber threat actor targeting network edge devices is most likely responsible for the exploitation clustered as "UAT-8616."

Evidence indicates that the activity began in 2023 and predates the February 25, 2026, public disclosure (Version 1.0, Final). CVE ID CVE-2026-20127 CVSS 3.1 Base Score 10.0 (AV:N/AC:L/PR:N/UI:Products Affected: Cisco Catalyst SD-WAN Controller (vSmart), Catalyst SD-WAN Manager (vManage) N/S:C/C:H/I:H/A:H) Cisco Bug ID CSCws52722 Following the initial bypass via CVE-2026-20127, UAT-8616 uses a software version downgrade to escalate privileges, exploits CVE-2022-20775 to gain root access, and then reverts to the original version to avoid detection. Persistent footholds in critical infrastructure (CI) sectors were confirmed by intelligence partners, including the ACSC, who described this in a hunt guide.

This is consistent with trends in targeting edge devices, where actors create permanent access for command-and-control, lateral movement, or data exfiltration (C2). Unauthorized peering connections, frequently from unusual IPs or at strange times, are noted by Talos as a characteristic.

Indicators of Detection (IOCs) Look for these warning signs in Cisco SD-WAN logs: Peering events for unauthorized control connections, particularly vManage types. peering from inconsistent device types or unidentified IP addresses. unexpected software updates or traces of CVE-2022-20775.

Unusual changes to the fabric configuration or NETCONF access. Manual validation is necessary for legitimate peering; seemingly normal occurrences could conceal compromise. Exploitation gives scope-changing administrative control over SD-WAN overlays, impacting segmentation, routing, and VPNs, with a perfect 10.0 CVSS score. Supply chain risks expose high-value targets like CI to espionage or ransomware deployment.

Cisco patches address the underlying cause, but there are no workarounds. Put on patches Upgrade to fixed releases right away by following Cisco's advice. Check with TAC support. Audit Logs: Use the ACSC Hunt Guide to look for UAT-8616 patterns and review peering events back to 2023.

Network Segmentation: Separate controllers and impose stringent peering verification. Monitoring Improvements: Implement SIEM rules for version changes and unusual authentications. Incident Response: Rotate credentials, isolate systems, and use forensics if compromised.

Talos emphasizes proactive hunts and advises SD-WAN users to give priority to these actions. Businesses using Cisco SD-WAN need to respond quickly to the growing threat of edge devices. The necessity of ongoing vulnerability management in business networks is highlighted by this zero-day. X and LinkedIn to Receive More Real-Time Updates.

Make ZeroOwl your Google Preferred Source.