Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks.
CVE-2026-20127 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and SD-WAN Cloud installations.
Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) for reporting the vulnerability.
In an advisory published today, Cisco said the issue stems from a peering authentication mechanism that “is not working properly.”
“This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system,” reads the Cisco CVE-2026-20127 advisory.
“A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”
Cisco Catalyst SD-WAN is a software-based networking platform that connects branch offices, data centers, and cloud environments through a centrally managed system. It uses a controller to securely route traffic between sites over encrypted connections.
By adding a rogue peer, an attacker can insert a malicious device into the SD-WAN environment that appears legitimate. That device could then establish encrypted connections and advertise networks under the attacker’s control, potentially allowing them to move deeper into the organization’s network.
A separate advisory from Cisco Talos says the flaw was actively exploited in attacks and is tracking the malicious activity under “UAT-8616,” which it assesses with high confidence was conducted by a highly sophisticated threat actor.
Talos reports that its telemetry shows exploitation dates back to at least 2023, with intelligence partners stating the threat actor likely escalated to root by downgrading to an older software version, exploiting CVE-2022-20775 to gain root access, and then restoring the original firmware version.
By reverting to the original version after exploitation, the attacker could obtain root access while evading detection.
The exploitation was disclosed in coordinated advisories between Cisco and the U.S. and UK authorities.
On February 25, 2026, CISA issued Emergency Directive 26-03 requiring Federal Civilian Executive Branch agencies to inventory Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage, apply updates, and investigate potential compromises tied to CVE-2026-20127 and CVE-2022-20775.
CISA said the exploitation poses an imminent threat to federal networks and that devices must be patched by 5:00 PM ET on February 27, 2026.
A joint hunt and hardening guide from CISA and the UK’s National Cyber Security Centre warned that malicious actors are targeting Cisco Catalyst SD-WAN deployments globally to add rogue peers, then conduct follow-on actions to achieve root access and maintain persistent control.
The advisories stress that SD-WAN management interfaces must never be exposed to the internet and urges organizations to immediately update and harden affected systems.
“Our new alert makes clear that organisations using Cisco Catalyst SD-WAN products should urgently investigate their exposure to network compromise and hunt for malicious activity, making use of the new threat hunting advice produced with our international partners to identify evidence of compromise,” said Ollie Whitehouse, NCSC CTO, in a statement shared with BleepingComputer.
“UK organisations are strongly advised to report compromises to the NCSC, and to apply vendor updates and hardening guidance as soon as practicable to reduce the risk of exploitation.”
Cisco has released software updates to address the vulnerability and says there are no workarounds that fully mitigate the issue.
Indicators of compromise
Cisco and Talos are urging organizations to carefully review logs on any internet-exposed Catalyst SD-WAN Controller systems for signs of unauthorized peering events and suspicious authentication activity.
The company recommends admins audit /var/log/auth.log for entries showing “Accepted publickey for vmanage-admin” from unknown IP addresses:
2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY]
Administrators should compare those IP addresses against the configured System IPs listed in the SD-WAN Manager interface and against known management or controller infrastructure. If an unknown IP address successfully authenticated, administrators should consider their devices to be compromised and open a Cisco TAC case.
Talos and government advisories shared additional indicators of compromise, including the creation and deletion of malicious user accounts, unexpected root logins, unauthorized SSH keys in the vmanage-admin or root accounts, and changes that enable PermitRootLogin.
Admins should also look for unusually small or missing log files, which may indicate log tampering, and for software downgrades and reboots, which may indicate exploitation of CVE-2022-20775 to gain root privileges.
To check for exploitation of CVE-2022-20775, CISA recommends analyzing the following logs:
/var/volatile/log/vdebug
/var/log/tmplog/vdebug
/var/volatile/log/sw_script_synccdb.log
CISA’s hunt and hardening guide instructs organizations to collect forensic artifacts, including admin core dumps and user home directories, and to ensure logs are stored externally to prevent tampering.
If a root account was compromised, agencies should deploy fresh installs rather than attempting to clean the existing infrastructure.
Organizations should also treat unexpected peering events or unexplained controller activity as potential indicators of compromise and investigate them immediately.
Both CISA and the UK NCSC recommend restricting network exposure, placing SD-WAN control components behind firewalls, isolating management interfaces, forwarding logs to external systems, and applying Cisco’s hardening guidance.
Cisco strongly recommends upgrading to a fixed software release as the only way to remediate CVE-2026-20127 completely.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
