{"id":43961,"date":"2026-02-26T14:14:16","date_gmt":"2026-02-26T06:14:16","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/26\/cisco-sd-wan-zero-day-cve-2026-20127-exploited-since-2023-for-admin-access\/"},"modified":"2026-02-26T14:14:16","modified_gmt":"2026-02-26T06:14:16","slug":"cisco-sd-wan-zero-day-cve-2026-20127-exploited-since-2023-for-admin-access","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/26\/cisco-sd-wan-zero-day-cve-2026-20127-exploited-since-2023-for-admin-access\/","title":{"rendered":"Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access"},"content":{"rendered":"<div style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEguuaG3Zn05bu2DRYkpxdcKrvugskd4bWxOdVfAIk2Yeaz_haffll_p9cgQ9DvoIID6Qyihvpq0q9M8NZFBOFprN-7ILllTeAs7Y5WJ5kqUPsBblknz376nPPxRa04vGkCKNVfLSUgTfweasJd9Q533msiw6SdqGP0K61_ZZYMhR9QD_sueS-R9vftPtheu\/s1600\/cisco.jpg\" style=\"display: block; padding: 1em 0; text-align: center; clear: left; float: left;\"><img decoding=\"async\" border=\"0\" data-original-height=\"470\" data-original-width=\"900\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEguuaG3Zn05bu2DRYkpxdcKrvugskd4bWxOdVfAIk2Yeaz_haffll_p9cgQ9DvoIID6Qyihvpq0q9M8NZFBOFprN-7ILllTeAs7Y5WJ5kqUPsBblknz376nPPxRa04vGkCKNVfLSUgTfweasJd9Q533msiw6SdqGP0K61_ZZYMhR9QD_sueS-R9vftPtheu\/s1600\/cisco.jpg\" alt=\"Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access\"\/><\/a><\/div>\n<p>A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of malicious activity that dates back to 2023.<\/p>\n<p>The vulnerability, tracked as <strong>CVE-2026-20127<\/strong> (CVSS score: 10.0), allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected system by sending a crafted request to an affected system.<\/p>\n<p>Successful exploitation of the flaw could allow the adversary to obtain elevated privileges on the system as an internal, high-privileged, non-root user account.<\/p>\n<p>&#8220;This vulnerability exists because the peering authentication mechanism in an affected system is not working properly,&#8221; Cisco <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-sdwan-rpa-EHchtZk\" rel=\"noopener\" target=\"_blank\">said<\/a> in an advisory, adding the threat actor could leverage the non-root user account to access NETCONF and manipulate network configuration for the SD-WAN fabric.&nbsp;<\/p>\n<p>The shortcoming affects the following deployment types, irrespective of the device configuration &#8211;<\/p>\n<ul>\n<li>On-Prem Deployment<\/li>\n<li>Cisco Hosted SD-WAN Cloud<\/li>\n<li>Cisco Hosted SD-WAN Cloud &#8211; Cisco Managed<\/li>\n<li>Cisco Hosted SD-WAN Cloud &#8211; FedRAMP Environment<\/li>\n<\/ul>\n<p>Cisco credited the Australian Signals Directorate&#8217;s Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The networking equipment major is tracking the exploitation and subsequent post-compromise activity under the moniker <a href=\"https:\/\/blog.talosintelligence.com\/uat-8616-sd-wan\/\" rel=\"noopener\" target=\"_blank\">UAT-8616<\/a>, describing the cluster as a &#8220;highly sophisticated cyber threat actor.&#8221;<\/p>\n<p>The vulnerability has been addressed in the following versions of Cisco Catalyst SD-WAN &#8211;<\/p>\n<ul>\n<li>Prior to version 20.91 &#8211; Migrate to a fixed release.<\/li>\n<li>Version 20.9 &#8211; 20.9.8.2 (Estimated release February 27, 2026)<\/li>\n<li>Version 20.111 &#8211; 20.12.6.1<\/li>\n<li>Version 20.12.5 &#8211; 20.12.5.3<\/li>\n<li>Version 20.12.6 &#8211; 20.12.6.1<\/li>\n<li>Version 20.131 &#8211; 20.15.4.2<\/li>\n<li>Version 20.141 &#8211; 20.15.4.2<\/li>\n<li>Version 20.15 &#8211; 20.15.4.2<\/li>\n<li>Version 20.161 &#8211; 20.18.2.1<\/li>\n<li>Version 20.18 &#8211; 20.18.2.1<\/li>\n<\/ul>\n<p>&#8220;Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise,&#8221; Cisco warned.<\/p>\n<p> <a name=\"more\"><\/a> <\/p>\n<p>The company has also recommended customers to audit the &#8220;\/var\/log\/auth.log&#8221; file for entries related to &#8220;Accepted publickey for vmanage-admin&#8221; from unknown or unauthorized IP addresses. It&#8217;s also advised to check the IP addresses in the auth.log log file against the configured System IPs that are listed in the Cisco Catalyst SD-WAN Manager web UI (WebUI &gt; Devices &gt; System IP).<\/p>\n<p>According to information released by the ASD-ACSC, UAT-8616 is said to have compromised Cisco SD-WANs since 2023 via the zero-day exploit, allowing it to gain elevated access.<\/p>\n<p>&#8220;The vulnerability allowed a malicious cyber actor to create a rogue peer joined to the network management plane, or control plane, of an organization&#8217;s SD-WAN,&#8221; ASD-ACSC said. &#8220;The rogue device appears as a new but temporary, actor-controlled SD-WAN component that can conduct trusted actions within the management and control plane.&#8221;<\/p>\n<p>After successfully compromising a public-facing application, the attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2022-20775\" rel=\"noopener\" target=\"_blank\">CVE-2022-20775<\/a> (CVSS score: 7.8), a high-severity privilege escalation bug in the CLI of Cisco SD-WAN Software, and then restoring the software back to the version it was originally running.<\/p>\n<p>Some of the subsequent steps initiated by the threat actor are as follows &#8211;<\/p>\n<ul>\n<li>Created local user accounts that mimicked other local user accounts.<\/li>\n<li>Added a Secure Shell Protocol (SSH) authorized key for root access and modified SD-WAN-related start-up scripts to customize the<\/li>\n<li>environment.<\/li>\n<li>Used Network Configuration Protocol on port 830 (NETCONF) and SSH to connect to\/between Cisco SD-WAN appliances within the management plane.<\/li>\n<li>Took steps to clear evidence of the intrusion by purging logs under &#8220;\/var\/log,&#8221; command history, and network connection history.<\/li>\n<\/ul>\n<p>&#8220;UAT-8616&#8217;s attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high-value organizations, including Critical Infrastructure (CI) sectors,&#8221; Talos said.<\/p>\n<p>The development has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2026\/02\/25\/cisa-adds-two-known-exploited-vulnerabilities-catalog\" rel=\"noopener\" target=\"_blank\">add<\/a> both CVE-2022-20775 and CVE-2026-20127 to its Known Exploited Vulnerabilities (<a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" rel=\"noopener\" target=\"_blank\">KEV<\/a>) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the fixes within the next 24 hours.<\/p>\n<p>To check for version downgrade and unexpected reboot events, CISA <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems\" rel=\"noopener\" target=\"_blank\">recommends<\/a> analyzing the following logs &#8211;<\/p>\n<ul>\n<li>\/var\/volatile\/log\/vdebug<\/li>\n<li>\/var\/log\/tmplog\/vdebug<\/li>\n<li>\/var\/volatile\/log\/sw_script_synccdb.log&nbsp;<\/li>\n<\/ul>\n<p>CISA has also <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2026\/02\/25\/cisa-and-partners-release-guidance-ongoing-global-exploitation-cisco-sd-wan-systems\" rel=\"noopener\" target=\"_blank\">issued<\/a> a new emergency directive, <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems\" rel=\"noopener\" target=\"_blank\">26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems<\/a>, as part of which federal agencies are required to inventory SD-WAN devices, apply updates, and assess potential compromise.<\/p>\n<p>To that end, agencies have been ordered to provide a catalog of all in-scope SD-WAN systems on their networks by February 26, 2026, 11:59 p.m. ET. Additionally, they are required to submit a detailed inventory of all in-scope products and actions taken by March 5, 2026, 11:59 p.m. ET. Lastly, the agencies will have to submit the list of all steps taken to harden their environments by March 26, 2026, 11:59 p.m. ET.<\/p>\n<div><\/div>\n<div>Found this article interesting?  Follow us on <a href='https:\/\/news.google.com\/publications\/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ' rel='noopener' target='_blank'>Google News<\/a>, <a href='https:\/\/twitter.com\/thehackersnews' rel='noopener' target='_blank'>Twitter<\/a> and <a href='https:\/\/www.linkedin.com\/company\/thehackernews\/' rel='noopener' target='_blank'>LinkedIn<\/a> to read more exclusive content we post.<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of malicious activity that dates back to 2023.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-43961","post","type-post","status-publish","format-standard","hentry","category-thehackernews"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/43961","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=43961"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/43961\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=43961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=43961"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=43961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}