0-Day Vulnerability in Cisco SD-WAN Threat actors have been using a serious zero-day vulnerability in Cisco's Catalyst SD-WAN products since 2023 to get root access and get around authentication This article explores vulnerability cisco sd. . The vulnerability, known as CVE-2026-20127, affects essential networking components and necessitates immediate patching in the face of ongoing attacks.sec.cloudapps.

A vulnerability in Cisco Catalyst SD-WAN Manager (formerly vManage) and Cisco Catalyst SD-WAN Controller (formerly vSmart)'s peering authentication mechanism is the cause of CVE-2026-20127. An unauthenticated remote attacker can log in as a high-privileged, non-root internal user account and send specially constructed requests to get around checks. This access permits NETCONF manipulation, which permits modifications to the network configuration of the entire SD-WAN fabric, such as adding rogue peers or changing routing.

With an attack vector network, low complexity, no privileges needed, and no user interaction required, the vulnerability has a CVSS v3.1 base score of 10.0 (Critical). It affects FedRAMP, managed, and standard SD-WAN Cloud environments hosted by Cisco as well as on-premises deployments. On February 25, 2026, Cisco issued patches; however, it confirmed that there are no workarounds.

Timeline of Exploitation After detecting zero-day use in the wild, Cisco Talos discovered that active exploitation has been going on since at least 2023. Talos links the campaign to post-compromise persistence in high-value targets, such as critical infrastructure, and tracks it as UAT-8616. In order to gain long-term network access, attackers modified configurations to include malicious rogue peers. After downgrading software versions to take advantage of a path-traversal vulnerability called CVE-2022-20775 for root escalation, actors allegedly restored the originals to avoid detection.

This chain demonstrates advanced strategies aimed at gaining footholds on network edge devices. Intelligence partners have reported incidents that verify the compromise of management/control planes exposed to the internet. Attacks are attributed by Cisco Talos to UAT-8616, a highly confident and sophisticated actor.

The group continues the trend of edge device targeting by concentrating on SD-WAN for persistent access in critical sectors. Although there are currently no detailed public IOCs, partner hunt guides stress the importance of verifying peer configurations and version histories. Versions of the Product Affected Versions that are fixed SD-WAN Manager (vManage) 20.3.1 – 20.14.3, 20.15.1 20.14.4, 20.15.2 SD-WAN Controller (vSmart) 20.3.1 – 20.14.3, 20.15.1 20.14.4, 20.15.2 Inventorying exposed ports and looking for irregularities in NETCONF logs are two aspects of verification. Restricting management plane access and keeping an eye out for unauthorized peers.sec.cloudapps are examples of temporary mitigations.

On February 25, 2026, CISA updated its Known Exploited Vulnerabilities Catalog with CVE-2026-20127 and CVE-2022-20775. FCEB agencies are required by Emergency Directive 26-03 to inventory SD-WAN systems, patch them within 21 days, and look for signs of compromise. Real-world rogue peer additions were noted in parallel alerts from the Canadian Cyber Centre and the Australian Cyber Security Centre.

Steps for Mitigation Apply the Cisco patches from the advisory right away. Keep track of every SD-WAN deployment, paying particular attention to controllers that are visible to the internet. Use the CLI to check for rogue peers by reviewing NETCONF sessions and displaying the details of sdwan omp peers. Turn on logging for version changes and authentication errors, and if compromised configurations are found, reset them.

For assistance, get in touch with Cisco TAC and adhere to the Talos hunt instructions.cloudapps.sec. Since UAT-8616 aims for long-term persistence, organizations in critical infrastructure should give checks top priority.

Such trends are countered by a wider adoption of zero-trust for edge devices. X for daily cybersecurity updates, LinkedIn. To have your stories featured, get in touch with us.