# U.S. CISA Adds Cisco SD-WAN Flaws to Its Known Exploited Vulnerabilities Catalog, Highlighting Ongoing Threats to Network Edge Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities in Cisco's SD-WAN solutions to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the ongoing risks posed by sophisticated threat actors targeting network edge devices.

According to CISA, these flaws have been actively exploited since 2023, with a particularly critical vulnerability allowing remote, unauthenticated attackers to bypass authentication and gain full administrative access to affected systems. This vulnerability, tracked as CVE-2026-20127 (CVSS score of 10.0), affects all Cisco Catalyst SD-WAN deployments, regardless of configuration, and has been fixed in updated releases, including 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1.

The vulnerability exploits a flaw in the peering authentication mechanism of affected systems, allowing attackers to send crafted requests to bypass authentication and gain access to NETCONF, which would then enable manipulation of network configuration for the SD-WAN fabric. This highlights the importance of implementing robust security measures to prevent such attacks.

Cisco has credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting this issue, and Cisco Talos is tracking related exploitation under the name UAT-8616, describing the actor as highly sophisticated. The campaign showcases the ongoing targeting of network edge devices to gain persistent access to high-value and critical infrastructure organizations.

In response to this vulnerability, Cisco advises customers to apply security updates immediately and take steps to prevent potential compromise, such as reviewing /var/log/auth.log for suspicious entries from unknown IPs and verifying them against authorized System IPs in the web UI. However, it is essential to note that there are no full workarounds for this vulnerability, and restricting ports 22 and 830 may only provide temporary relief.

The addition of these vulnerabilities to CISA's KEV catalog underscores the importance of addressing known exploited vulnerabilities promptly to protect networks against attacks exploiting these flaws in their infrastructure. As experts recommend, private organizations should review the Catalog and address these vulnerabilities in their own infrastructure.

**Key Facts:**

* Cisco SD-WAN is affected by two critical vulnerabilities added to CISA's KEV catalog. * A particularly critical vulnerability (CVE-2026-20127) allows remote, unauthenticated attackers to bypass authentication and gain full administrative access. * The vulnerability exploits a flaw in the peering authentication mechanism of affected systems. * Cisco has released updated releases that fix this vulnerability. * CISA urges federal agencies to address these vulnerabilities by specific deadlines.

**Conclusion:**

The recent addition of two critical vulnerabilities in Cisco SD-WAN solutions to CISA's KEV catalog highlights the ongoing risks posed by sophisticated threat actors targeting network edge devices. It is essential for organizations to take prompt action to address these known exploited vulnerabilities and implement robust security measures to prevent such attacks.