Weaponized in the Wild: Public PoC Exploit Disclosed for Critical 10.0 Cisco SD-WAN Flaw

The cybersecurity landscape has shifted into high gear following the public disclosure of a critical authentication bypass in Cisco Catalyst SD-WAN. The vulnerability, tracked as CVE-2026-20127, carries a maximum CVSS score of 10.0 and has been weaponized in the wild for years. The threat escalated this week as ZeroZenX Labs published a functional proof-of-concept (PoC) exploit code, effectively lowering the barrier for entry for less sophisticated attackers.

The flaw impacts the core control and management components of the Cisco Catalyst SD-WAN fabric, specifically the Controller (formerly vSmart) and Manager (formerly vManage).

While only recently disclosed, investigative data from Cisco Talos and international partners reveals that a “highly sophisticated” threat actor, tracked as UAT-8616, has been exploiting this zero-day since at least 2023.

The group’s methodology was surgical and designed for long-term, invisible persistence:

• Initial Access: Using the authentication bypass, the actor logged into the system as a high-privileged internal user.
• Rogue Peer Injection: The attacker added a malicious “rogue peer” to the SD-WAN fabric, which appeared as a legitimate and trusted component to the rest of the network.
• Root Escalation: To achieve full system control, the actor used the built-in update mechanism to downgrade the software to a version vulnerable to an older privilege escalation flaw (CVE-2022-20775).
• Evasion: After gaining root access and establishing persistence, the actor restored the original software version and purged all authentication and system logs to erase their footprint.

The vulnerability is rooted in a peering authentication mechanism that “is not working properly,” allowing unauthenticated remote attackers to bypass trust checks by sending crafted requests.

The release of the PoC by ZeroZenX Labs is a critical turning point. While the original UAT-8616 campaign was limited to sophisticated actors, the public availability of exploit code significantly increases the risk of “copycat” attacks across a much broader range of targets, including critical infrastructure and commercial enterprises.

The severity of the situation prompted CISA to issue Emergency Directive 26-03, mandating that Federal Civilian Executive Branch agencies inventory all affected systems, collect forensic artifacts for threat hunting, and apply patches immediately.

Cisco and its partners emphasize that there are no workarounds for this vulnerability. The only durable fix is an upgrade to a patched release: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, or 20.18.2.1.

Organisations are strongly encouraged to collect virtual snapshots and off-system logs (especially /var/log/auth.log and /var/log/vmanage-admin) to support forensic analysis, as the patching process may overwrite evidence of prior compromise.