Cisco Catalyst SD-WAN Zero-Day Exploited by Sophisticated Threat Actor UAT-8616
Take action: If you are using Cisco Catalyst SD-WAN Controller or Cisco Catalyst SD-WAN Manager this is urgent. The flaw is already exploited so your SD-WAN might already be compromised without showing obvious signs. Immediately audit your logs for unauthorized SSH keys and peering events, then apply the latest Cisco security updates. Until you patch, restrict access to ports 22 and 830 to trusted controller IPs.
Learn More
Cisco Talos and the Australian Signals Directorate (ASD) report active exploitation of a critical zero-day vulnerability in Cisco Catalyst SD-WAN infrastructure.
The flaw is tracked as CVE-2026-20127 (CVSS score 10.0) - An authentication bypass vulnerability in the peering mechanism of Cisco Catalyst SD-WAN Controller and Manager. Unauthenticated remote attackers send crafted requests to the system to bypass security checks and gain administrative access as a high-privileged internal user. This access allows attackers to use NETCONF to manipulate the entire SD-WAN fabric configuration, potentially disrupting or intercepting traffic across the enterprise network.
A threat actor, designated UAT-8616, has been exploiting this vulnerability to target high-value organizations and critical infrastructure sectors.
Successful exploitation grants attackers persistent control over the network edge, allowing them to intercept or redirect traffic across the SD-WAN fabric. UAT-8616 installed unauthorized SSH keys to evade detection and performed downgrades and upgrades of the devices to maintain control.
The vulnerability impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) across all deployment types, including on-premises and Cisco-hosted cloud environments.
Affected versions include those earlier than 20.9, as well as branches 20.11, 20.12, 20.13, 20.14, 20.15, 20.16, and 20.18. Cisco reports that the vulnerability exists regardless of the specific device configuration, making all unpatched instances high-risk targets.
Cisco has released software updates to address these flaws and strongly urges immediate migration to fixed releases 20.12.5.3, 20.15.4.2, or 20.18.2.1.
Administrators should audit /var/log/auth.log for unauthorized public key acceptances and validate all control connection peering events against known maintenance windows. Until patches are applied, organizations should restrict access to ports 22 and 830 using ACLs or firewalls to ensure only trusted controller IPs can communicate with the infrastructure.
