The Three-Year Shadow: Critical CVSS 10 Cisco SD-WAN Zero-Day Exploited by UAT-8616

Cisco Talos has issued a high-alert warning regarding the active exploitation of CVE-2026-20127, a critical vulnerability affecting the Cisco Catalyst SD-WAN Controller. This CVSS 10 vulnerability allows unauthenticated, remote attackers to bypass authentication entirely.

The core issue lies in a flawed peering authentication mechanism within the Cisco Catalyst SD-WAN Controller (formerly vSmart) and Manager (formerly vManage). By sending carefully crafted requests, an attacker can bypass this mechanism and log into the affected system. Once inside, the attacker gains internal, high-privileged, non-root administrative access. With these credentials, they can access NETCONF, granting them the power to fully manipulate the network configuration of the SD-WAN fabric.

Cisco Talos is tracking the exploitation activity under the cluster name “UAT-8616,” which they assess with high confidence to be a highly sophisticated cyber threat actor. Alarmingly, evidence indicates that this malicious activity has been ongoing for at least three years, dating back to 2023. This aligns with a broader trend of threat actors targeting network edge devices to establish long-term persistence within high-value targets, including Critical Infrastructure (CI) sectors.

To escalate their privileges to root access, UAT-8616 employed a clever sequence of tactics:

• The actor initiated a software version downgrade on the compromised device.
• They subsequently exploited an older vulnerability, CVE-2022-20775.
• Finally, the attacker restored the original software version, effectively maintaining their newly acquired root access.

Organizations must scrutinize their Cisco Catalyst SD-WAN logs for anomalous control connection peering events, as these can be the first sign of an initial access attempt via CVE-2026-20127. Validation of these events requires a manual review process to distinguish between legitimate operations and potential breaches.

Security teams should also hunt for the following high-fidelity indicators of a UAT-8616 compromise:

• Interactive root sessions on production systems that include unaccounted SSH keys and known hosts.
• The presence of unauthorized or unaccounted SSH keys specifically for the “vmanage-admin” account.
• Evidence of log tampering, such as abnormally small logs or cleared histories for files like syslog, wtmp, lastlog, cli-history, and bash_history.
• Unauthorized software version downgrades and upgrades that are accompanied by system reboots.

Currently, there are no software workarounds available to address this vulnerability. Cisco hosted cloud environments (including Cisco Managed and FedRAMP environments) already have protective guardrails in place. For on-premise deployments, customers must secure intra-controller connectivity. Cisco advises using access control lists (ACLs) or firewall rules to restrict traffic on port 22 and port 830 exclusively to known controller and trusted IP addresses.

Cisco strongly urges all customers to migrate to a fixed software release to fully remediate the issue. Several patches are currently available, with more rolling out shortly:

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy