- Cisco Catalyst SD-WAN zero-day (CVE-2026-20127) has been exploited since 2023
- Flaws allowed attackers to add rogue peers and manipulate network configurations
- CISA added errors to the KEV catalog and ordered urgent corrections; linked to the threat group UAT-8616
“Highly sophisticated” threat actors have allegedly been exploiting a zero-day vulnerability in Cisco Catalyst SD-WAN for over two years, the company has revealed.
Cisco’s cybersecurity arm, Talos, released a new report saying it observed a critical authentication vulnerability being actively exploited by bad guys who used it to compromise controllers and add malicious rogue peers to target networks.
The vulnerability is now tracked as CVE-2026-20127 and has a maximum severity score of 10/10 (Critical).
CISA adds it to KEV
The National Vulnerability Database (NVD) says the flaw exists “because the peering authentication mechanism in an affected system is not working properly,” allowing malicious actors to send crafted requests to exploit it.
“A successful exploit could allow the attacker to log into an affected Cisco Catalyst SD-WAN Controller as an internal, highly privileged, non-root user account. Using this account, the attacker could gain access to NETCONF, which would then allow the attacker to manipulate the network configuration of the SD-WAN fabric,” it explained.
The Talos report claims that a group tracked as UAT-8616 was the one exploiting it since at least 2023. The attacks apparently started by downgrading the SD-WAN solution to an older, vulnerable version and then using it to gain root access. After breaking in, the crooks would restore the original firmware version to cover their tracks.
On Wednesday, the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its KEV catalog, confirming reports of in-the-wild abuse and giving Federal Civilian Executive Branch (FCEB) agencies just two days to correct or stop using the product altogether. Normally, CISA gives FCEB agencies three weeks to respond, but in this case it was said the bug poses a major threat.
UAT-8616 appears to be a newly named threat cluster, as there is no separate public record of this actor being tied to previous, separate attacks under the same name.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
