Critical Cisco SD-WAN Bug Exploited in Zero-Day Attacks Since 2023
#Vulnerabilities

Critical Cisco SD-WAN Bug Exploited in Zero-Day Attacks Since 2023

Security Reporter
5 min read

Cisco warns of CVE-2026-20127, a critical authentication bypass vulnerability in Catalyst SD-WAN that allowed remote attackers to add rogue peers and gain root access since 2023.

Cisco is warning organizations about a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN that was actively exploited in zero-day attacks dating back to 2023. The flaw, tracked as CVE-2026-20127, has a maximum severity rating of 10.0 and impacts both on-premises and cloud-based deployments of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage).

The Vulnerability and Its Exploitation

The vulnerability stems from a peering authentication mechanism that "is not working properly," according to Cisco's advisory. This flaw allowed attackers to send crafted requests to affected systems and authenticate as internal, high-privileged, non-root users. Once authenticated, attackers could access NETCONF and manipulate network configurations for the SD-WAN fabric.

Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) for reporting the vulnerability. However, Cisco Talos has determined that the flaw was actively exploited in attacks, tracking the malicious activity under the identifier "UAT-8616."

Sophisticated Attack Chain

Talos reports that the threat actor behind these attacks is highly sophisticated and likely conducted a multi-stage exploitation process. The attack chain appears to have involved:

  1. Initial exploitation of CVE-2026-20127 to gain high-privileged access
  2. Downgrading to an older software version to exploit CVE-2022-20775
  3. Gaining root access through the older vulnerability
  4. Restoring the original firmware version to evade detection

This technique of downgrading firmware to exploit older vulnerabilities before restoring the original version is particularly concerning as it allows attackers to maintain persistent access while avoiding detection through standard version checking mechanisms.

Government Response and Emergency Directives

The exploitation of this vulnerability has prompted urgent government action. On February 25, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 26-03, requiring Federal Civilian Executive Branch agencies to:

  • Inventory Cisco SD-WAN systems
  • Collect forensic artifacts
  • Ensure external log storage
  • Apply updates immediately
  • Investigate potential compromises

The directive sets a deadline of 5:00 PM ET on February 27, 2026, for federal agencies to patch affected systems. CISA emphasized that the exploitation poses an "imminent threat to federal networks."

Joint International Response

In coordination with Cisco, the U.S. and UK authorities have issued coordinated advisories. The UK's National Cyber Security Centre (NCSC) has partnered with CISA to produce a joint hunt and hardening guide for organizations using Cisco Catalyst SD-WAN products.

Ollie Whitehouse, NCSC CTO, stated: "Our new alert makes clear that organisations using Cisco Catalyst SD-WAN products should urgently investigate their exposure to network compromise and hunt for malicious activity, making use of the new threat hunting advice produced with our international partners to identify evidence of compromise."

Impact and Attack Methodology

Cisco Catalyst SD-WAN is a software-based networking platform that connects branch offices, data centers, and cloud environments through a centrally managed system. By exploiting this vulnerability, attackers can:

  • Add rogue peers to the SD-WAN environment
  • Insert malicious devices that appear legitimate
  • Establish encrypted connections under attacker control
  • Advertise networks under the attacker's control
  • Potentially move deeper into the organization's network

The ability to add rogue peers is particularly dangerous because it allows attackers to insert themselves into the trusted network fabric, potentially intercepting or manipulating traffic across the organization's infrastructure.

Indicators of Compromise

Cisco and Talos have provided specific indicators of compromise that organizations should monitor for:

Authentication Logs:

  • Check /var/log/auth.log for entries showing "Accepted publickey for vmanage-admin" from unknown IP addresses
  • Compare these IP addresses against configured System IPs in the SD-WAN Manager interface
  • Compare against known management or controller infrastructure

Additional IoCs include:

  • Creation and deletion of malicious user accounts
  • Unexpected root logins
  • Unauthorized SSH keys in vmanage-admin or root accounts
  • Changes enabling PermitRootLogin
  • Unusually small or missing log files (indicating log tampering)
  • Software downgrades and reboots

For CVE-2022-20775 exploitation, CISA recommends analyzing:

  • /var/volatile/log/vdebug
  • /var/log/tmplog/vdebug
  • /var/volatile/log/sw_script_synccdb.log

Mitigation and Response

Cisco has released software updates to address the vulnerability, but emphasizes that there are no workarounds that fully mitigate the issue. The company strongly recommends upgrading to a fixed software release as the only way to remediate CVE-2026-20127 completely.

For organizations that suspect compromise, CISA's hunt and hardening guide instructs:

  • Collect forensic artifacts including admin core dumps and user home directories
  • Ensure logs are stored externally to prevent tampering
  • If root account was compromised, deploy fresh installs rather than attempting to clean existing infrastructure
  • Treat unexpected peering events or unexplained controller activity as potential indicators of compromise

Security Best Practices

Both CISA and NCSC recommend the following security measures:

  • Never expose SD-WAN management interfaces to the internet
  • Restrict network exposure and place SD-WAN control components behind firewalls
  • Isolate management interfaces
  • Forward logs to external systems
  • Apply Cisco's hardening guidance
  • Immediately update and harden affected systems

Broader Context

This vulnerability is part of a concerning trend of critical infrastructure attacks. Recent similar incidents include:

  • Cisco fixes for Unified Communications RCE zero-day
  • AsyncOS zero-day exploited since November
  • Apple fixing zero-day flaws used in "extremely sophisticated" attacks
  • Google patching Chrome zero-days
  • Ivanti warnings about EPMM flaws exploited in zero-day attacks

These incidents highlight the ongoing challenges organizations face in securing their network infrastructure against sophisticated, persistent threat actors who exploit vulnerabilities across the entire technology stack.

The discovery that this vulnerability has been exploited since 2023 underscores the importance of proactive security measures, regular patching, and comprehensive monitoring of network infrastructure. Organizations using Cisco Catalyst SD-WAN should treat this as a critical security incident and take immediate action to assess their exposure and implement the recommended mitigations.

#Cisco#SD-WAN#Zero_Day#CVE#network-security

Comments

Loading comments...
Back to Home