- Cisco Catalyst SD-WAN zero-day (CVE-2026-20127) exploited since 2023
- The flaw allowed attackers to add rogue peers and manipulate network configurations
- CISA added a bug to the KEV catalog and requested urgent patches; linked to threat group UAT-8616
“Highly sophisticated” threat actors have reportedly been exploiting a zero-day vulnerability in Cisco Catalyst SD-WAN for more than two years, the company revealed.
Talos, Cisco’s cybersecurity arm, published a new report saying it observed a critical authentication vulnerability being actively exploited by criminals who used it to compromise controllers and add malicious and rogue peers to targeted networks.
The vulnerability is now tracked as CVE-2026-20127 and has a maximum severity score: 10/10 (critical).
CISA adds it to KEV
The National Vulnerability Database (NVD) says the bug exists “because the peering authentication mechanism on an affected system is not working properly,” allowing malicious actors to send requests designed to exploit it.
“A successful exploit could allow the attacker to log into an affected Cisco Catalyst SD-WAN controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate the network configuration for the SD-WAN fabric,” he explained.
The Talos report claims that it was abused by a group tracked as UAT-8616, dating back to at least 2023. The attacks apparently began by downgrading the SD-WAN solution to an older, vulnerable version, and then using it to gain root access. After breaking in, the criminals would restore the original version of the firmware to cover their tracks.
On Wednesday, the US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its KEV catalog, confirming reports of abuse in the wild and giving Federal Civil Executive Branch (FCEB) agencies just two days to fix or stop using the product entirely. Normally, CISA gives FCEB agencies three weeks to respond, but in this case, the error was said to pose a significant threat.
UAT-8616 appears to be a newly named threat group, as there is no separate public record of this actor being linked to previous, separate attacks under the same name.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
