CVE-2026-20127: Exploitation of Zero-Day Bug in Cisco Catalyst SD-WAN by UAT-8616

Published Date: February 27, 2026
Category: ShadowOpsIntel
Share:

Cisco Talos has identified active exploitation of CVE-2026-20127, a critical authentication bypass vulnerability affecting the Cisco Catalyst SD-WAN Controller (formerly vSmart). The activity is attributed to a sophisticated threat cluster tracked as UAT-8616, with evidence of exploitation activity dating back to at least 2023.

Severity: Critical

Attack Vector And Exploitation Mechanism

The attack begins with the exploitation of CVE-2026-20127, which allows an unauthenticated remote attacker to bypass security measures by sending a specifically crafted request to the SD-WAN Controller.

  • Initial Access: Success grants the attacker administrative privileges as an internal, high-privileged, non-root user.
  • Privilege Escalation: To achieve full system control, UAT-8616 performs a software version downgrade to re-introduce CVE-2022-20775.Persistence Strategy: After gaining root access, the actor typically restores the system to its original software version to minimize the forensic footprint of the version change.
  • Unauthorized Peering: The actor establishes rogue control connections (peering) that may appear legitimate but originate from unrecognized IP addresses or occur outside of maintenance windows.
  • Account Manipulation: Actors create and delete malicious user accounts and frequently clear bash_history or cli-history to hide their commands.
  • Log Evasion: Investigators have observed logs that are either truncated or abnormally small (0–2 bytes), specifically affecting syslog, wtmp, and lastlog.
  • Credential Harvesting: The actor adds unauthorized SSH keys to /home/root/.ssh/authorized_keys and modifies sshd_config to ensure PermitRootLogin is set to “yes”.

Affected Products

CVE-2026-20127 affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, regardless of device configuration.

Recommendations

  1. Cisco strongly recommends upgrading affected Cisco Catalyst SD-WAN Controller and SD-WAN Manager to a fixed software release.
  2. To temporarily mitigate the impact of this vulnerability, customers with On-Prem Deployment type can use the following guidance:
    a. Follow the guidelines in the Firewall Ports for Cisco Catalyst SD-WAN Deployments section of the Cisco Catalyst SD-WAN Getting Started Guide
    (https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/cisco-sd-wan-overlay-network-bringup.html#c_Firewall_Ports_for_Viptela_Deployments_8690.xml)
    b. Customers who host their own Cisco Catalyst SD-WAN deployment in their own data centers must secure intra-controller connectivity.
    c. Cisco recommends adding the access control lists (ACLs), security group rules, and/or firewall rules to restrict the traffic to port 22 and port 830 to allow only known controller IPs and other known IPs.
  3. Organizations should actively hunt for indicators of compromise (IoCs) within their logs:
    a. Audit Authentication Logs: Review /var/log/auth.log for entries showing Accepted publickey for vmanage-admin originating from unknown or unauthorized IP addresses.
    b. Verify Peering Events:
    • Manually validate all control connection peering events in the logs, especially vmanage types.
    • Cross-reference event timestamps against maintenance windows.
    • Confirm the public IP matches authorized organization infrastructure.
    • Validate that the peer system IP matches documented device assignments within your SD-WAN topology.
    • Review the peer type (vmanage, vsmart, vedge, vbond) to ensure it aligns with expected device roles in your deployment.
  4. To determine if a Cisco Catalyst SD-WAN Controller or Cisco Catalyst SD-WAN Manager has been compromised, customers should issue the request admin-tech command on all control components and open a case with the Cisco Technical Assistance Center (TAC).
  5. Cisco recommends performing threat hunting for evidence of compromise detailed in the following hunt guidance (https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf)
  6. Cisco strongly recommends that any customers who are utilizing the Cisco Catalyst SD-WAN technology follow the guidance provided in this hardening guide – https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide

Source:

  • https://blog.talosintelligence.com/uat-8616-sd-wan/
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
  • https://www.ncsc.gov.uk/news/exploitation-cisco-catalyst-sd-wans
  • https://nvd.nist.gov/vuln/detail/cve-2022-20775

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert