Cisco SD-WAN Vulnerability Exploited Since 2023, Authorities Issue Warning
For three years, a critical flaw remained undetected within Cisco’s Catalyst SD-WAN products before being exploited by hackers. Cisco has confirmed that attackers leveraged this vulnerability, tracked as CVE-2026-20127, to bypass authentication, gain privileged access, and exfiltrate data. The severity of the situation prompted a joint advisory from cybersecurity authorities in the US, UK, Australia, Canada, and New Zealand.
Technical Details of the Incident
The vulnerability, CVE-2026-20127, carries a critical base score of 10.0, indicating a severe impact requiring immediate attention. Successful exploitation allows attackers to steal data and potentially launch further cyberattacks . According to Cisco, attackers exploited a flaw in Catalyst SD-WAN products to bypass authentication remotely by sending crafted requests to the system, elevating privileges to a high-privileged, non-root account .
Initial access did not grant root access. However, investigation by the Australian government revealed attackers could escalate to root privileges by leveraging the built-in update mechanism to downgrade the controller to a version vulnerable to CVE-2022-20775 . CVE-2022-20775 allows local, authenticated non-root users to gain root access.
After achieving root access, the attackers created local accounts mimicking legitimate ones and re-exploited CVE-2026-20127 to establish persistent access. Subsequently, they restored the controller to its original version. The Australian government’s report noted that no command and control activity or lateral movement outside the SD-WAN environment were detected, but evidence of defense evasion, such as log clearing and history deletion, was observed .
Who is Behind the Attack?
Currently, no threat actor has claimed responsibility for the attacks, and researchers have not definitively attributed the incident to a specific group. However, observed activities suggest a single source, designated as UAT-8616, described as a “highly sophisticated cyber threat actor” by Cisco .
How Organizations Should Respond
Cisco and involved authorities recommend organizations using Catalyst SD-WAN to review system logs, forwarding them off the appliance to prevent attacker tampering . Organizations should also place controllers behind a firewall with robust IP blocking capabilities.
For detection and mitigation, consult reports from Cisco Talos , the NSA Joint Cybersecurity Advisory, and the Australian government . Organizations in the UK, Canada, and New Zealand should also review relevant publications from their respective governments.
Affected versions include those prior to version 20.91, requiring migration to a fixed release. Specific versions 20.9 – 20.9.8.2, 20.111 – 20.12.6.1, 20.12.5 – 20.12.5.3, 20.12.6 – 20.12.6.1, 20.131 – 20.15.4.2, 20.141 – 20.15.4.2, 20.15 – 20.15.4.2, and 20.161 – 20.18.2 are also impacted .