A rare joint alert from the Five Eyes intelligence alliance warns organizations to urgently patch two Cisco SD-WAN vulnerabilities being exploited by sophisticated threat actors to gain persistent network access.
The Five Eyes intelligence alliance has issued an urgent joint warning about active exploitation of two critical vulnerabilities in Cisco Catalyst SD-WAN products, marking a rare coordinated alert from the US, UK, Canada, Australia, and New Zealand's intelligence agencies.
The alert, first discovered by Australia's Signals Directorate and co-signed by all five agencies, confirms that malicious cyber actors are targeting Cisco SD-WAN devices globally to establish persistent network access. The UK's National Cyber Security Centre (NCSC) stated that attackers are compromising SD-WANs to add malicious rogue peers, achieve root access, and maintain persistent presence within affected networks.
The Vulnerabilities in Detail
The first vulnerability, CVE-2022-20775, is a path traversal flaw affecting the SD-WAN's command line interface that allows privilege escalation. This vulnerability, which carries a CVSS score of 7.8, was originally disclosed in September 2022.
The second vulnerability, CVE-2026-20127, is the more severe of the two with a perfect CVSS score of 10.0. This improper authentication flaw affects both Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager (formerly known as SD-WAN vSmart and SD-WAN vManage). Successful exploitation of this vulnerability grants attackers administrative rights and potentially allows access to NETCONF for reconfiguring the SD-WAN fabric.
Cisco Talos, the company's threat intelligence arm, has attributed attacks using CVE-2026-20127 to a group tracked as UAT-8616. According to Talos, this highly sophisticated cyber threat actor has been exploiting the vulnerability since at least 2023.
Attack Methodology and Targeting
Analysis suggests attackers are using a multi-stage approach to compromise networks. The CVE-2026-20127 vulnerability is exploited first to gain administrative privileges, followed by the use of CVE-2022-20775 to downgrade the SD-WAN software version, ultimately allowing attackers to achieve root access.
While specific victim details remain limited, Cisco Talos indicated that targets are likely organizations in high-value, sensitive sectors. The attacks represent a continuing trend of cyber threat actors targeting network edge devices to establish persistent footholds in critical infrastructure sectors.
Immediate Actions Required
The Five Eyes agencies have issued clear guidance for organizations using Cisco Catalyst SD-WAN products:
Immediate Investigation: Organizations should urgently investigate their exposure to potential network compromise
Threat Hunting: Follow the Five Eyes Hunt Guide [PDF] to identify signs of compromise
Reporting: Share any findings with relevant security authorities
Patching: Upgrade to the latest version of Cisco Catalyst SD-WAN Controller/Manager
Hardening: Apply vendor security updates and hardening guidance as soon as practicable
NCSC CTO Ollie Whitehouse emphasized the urgency: "UK organizations are strongly advised to report compromises to the NCSC, and to apply vendor updates and hardening guidance as soon as practicable to reduce the risk of exploitation."
Context and Severity
The coordinated nature of this alert underscores the seriousness of the threat. Joint advisories from all Five Eyes agencies are relatively uncommon and typically indicate intelligence assessments of significant risk to national security or critical infrastructure.
This incident follows a pattern of increased targeting of network edge devices by sophisticated threat actors. The ability to establish persistent access through compromised SD-WAN infrastructure could provide attackers with long-term visibility into network traffic and the ability to manipulate data flows.
Organizations using Cisco Catalyst SD-WAN products should treat this as a critical security incident requiring immediate attention. The combination of a newly discovered critical vulnerability (CVE-2026-20127) with an older but still exploitable flaw (CVE-2022-20775) creates a particularly dangerous attack scenario that has already been observed in the wild.
For organizations unable to immediately patch, implementing network segmentation, monitoring for unusual SD-WAN activity, and reviewing access logs for signs of unauthorized administrative access are recommended interim measures while working toward full remediation.
Comments
Please log in or register to join the discussion