Cisco SD-WAN Zero-Day Exploited Since 2023 to Gain Full Admin Control
Since the discovery of a critical vulnerability in Cisco SD-WAN, hackers have been exploiting this zero-day flaw since 2023 to gain full administrative access. The Cisco Catalyst SD-WAN Controller and Manager vulnerability, tracked as CVE-2026-20127 (CVSS score of 10.0), has allowed remote, unauthenticated attackers to bypass authentication and manipulate network configuration for the SD-WAN fabric.
The vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account, which would then allow the attacker to access NETCONF and manipulate network configuration for the SD-WAN fabric.
The vulnerability impacts all Cisco Catalyst SD-WAN deployments, regardless of configuration. Affected environments include Cisco's credit, including organizations such as government agencies, finance institutions, and large enterprises. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) has credited with reporting the issue and is tracking related exploitation under the name UAT-8616, describing the actor as highly sophisticated.
Cisco Talos tracks the exploitation as UAT-8616, a highly sophisticated threat actor active since at least 2023. Investigators found that the group likely downgraded software to escalate privileges to root, exploited CVE-2022-20775, and then restored the original version to maintain stealthy root access.
The campaign highlights the ongoing targeting of network edge devices to gain persistent access to high-value and critical infrastructure organizations. Customers are urged to apply the security updates immediately. Cisco warns that internet-exposed Catalyst SD-WAN Controllers are at risk. Customers should review /var/log/auth.log for suspicious “Accepted publickey for vmanage-admin” entries from unknown IPs and verify them against authorized System IPs in the web UI.
All control peering events, especially vManage, must be manually validated for unusual timing, IPs, or device roles. If compromise is suspected, open a TAC case and collect admin-tech files. There are no full workarounds; restricting ports 22 and 830 may help temporarily, but upgrading to a fixed release is strongly recommended.
Cisco PSIRT has confirmed limited real-world exploitation of the vulnerability and strongly urges customers to upgrade to a patched software version to address the issue. Cisco has also published a hardening guide for Cisco Catalyst SD-WAN deployments located at https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide.
Conclusion
The recent exploitation of the Cisco Catalyst SD-WAN vulnerability highlights the ongoing threat landscape in cybersecurity. As network edge devices continue to be targeted, it is crucial for organizations to prioritize patch management and security updates. The hardening guide published by Cisco provides valuable guidance on securing Cisco Catalyst SD-WAN deployments, and we recommend that all customers follow this guidance to prevent similar exploits.