Three Years of Cisco SD-WAN Zero-Day Exploitation

Zerowl

February 26, 2026

Three Years of Cisco SD-WAN Zero-Day Exploitation

A critical zero-day vulnerability in Cisco's Catalyst SD-WAN Controller has been exploited in the wild for "at least three years," the company disclosed today This article explores vulnerability cisco catalyst. . The vulnerability has a maximum CVSS score of 10 and is identified as an authentication bypass flaw (CVE-2026-20127).

According to Cisco's security advisory, an attacker can log into the controllers as an internal, high-privileged, non-root user and send specially constructed requests to susceptible systems. Cisco issued a warning about "limited exploitation" in the wild when it revealed the zero-day. The same day, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring federal civilian executive branch (FCEB) agencies to patch CVE-2026-20127 by Friday. The directive also calls for agencies to patch an older Catalyst SD-WAN vulnerability known as CVE-2022-20775.

CISA usually gives FCEB agencies two weeks to fix vulnerabilities that have been exploited in the wild, but it occasionally issues emergency directives with shorter timeframes to fix defects that put the government at greater risk. Related: n8n's Second Round of Critical RCE Bugs Increases Corporate Risk ## Addressing CVE-2026-20127 The exploitation activity of CVE-2026-20127 was emphasized by Cisco Talos as a component of a broader trend of threat actor behavior in the past few years. The attempted exploitation of UAT-8616, according to the blog post, "indicates a continuing trend of cyber threat actors targeting network edge devices looking to establish persistent footholds into high-value organizations including Critical Infrastructure (CI) sectors."

Cisco urged clients to limit access to the instances from unprotected networks, such as the public Internet, and to update their Catalyst SD-WAN Controllers to a fixed version as soon as possible. "Cisco Catalyst SD-WAN Controller systems that are exposed to the Internet and that have ports exposed to the Internet are at risk of exposure to compromise," the massive networking company said. Cisco also advised businesses to modify the default administrator password to a more secure one and disable HTTP access for the Catalyst SD-WAN Manager web UI administrator portal.

Three Years of Cisco SD-WAN Zero-Day Exploitation

Trending News

Coruna, DarkSword, and Democratizing Nation-State Exploit Kits

Coruna, DarkSword, and Democratizing Nation-State Exploit Kits

Apple Sends Lock Screen Alerts to Old iPhones About Active Web-Based Exploits

Apple Sends Lock Screen Alerts to Old iPhones About Active Web-Based Exploits

Wartime Usage of Compromised IP Cameras Highlight Their Danger

Wartime Usage of Compromised IP Cameras Highlight Their Danger

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

Hackers use phishing ZIP files to send PXA Stealer to steal money from banks and other financial institutions.

Hackers use phishing ZIP files to send PXA Stealer to steal money from banks and other financial institutions.

China improves the backdoor it uses to spy on telecom companies around the world.

China improves the backdoor it uses to spy on telecom companies around the world.

Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack

Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Attacks on infrastructure that have physical effects are down 25%.

Attacks on infrastructure that have physical effects are down 25%.

How mistakes can help businesses improve their security programs

How mistakes can help businesses improve their security programs