Critical Cisco SD-WAN Bug Exploited in Zero-day Attacks Since 2023
Summary:
A critical authentication bypass vulnerability exists in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). The flaw allows an unauthenticated remote attacker to bypass authentication by sending crafted requests, gaining login access as an internal, high-privileged non-root user account and subsequently accessing NETCONF to manipulate SD-WAN fabric configurations.
The vulnerability was reported by the Australian Signals Directorate's Australian Cyber Security Centre (ASD/ACSC), who determined that once exploited, malicious actors added a rogue peer and eventually gained root access to establish long-term persistence within SD-WAN infrastructure. Cisco Talos is tracking this exploitation activity under the cluster designation UAT-8616, which they assess with high confidence to be a highly sophisticated threat actor.
Security Officer Comments:
After the discovery of active exploitation in the wild, evidence of malicious activity traced back at least three years to 2023. Intelligence partners determined that the actor likely escalated to root by performing a software version downgrade, then exploiting a separate path traversal vulnerability, CVE-2022-20775, before restoring the original software version, effectively achieving persistent root access while concealing their method.
CISA and its partners have observed these actors targeting and compromising Cisco SD-WAN systems belonging to organizations globally, and both CVE-2026-20127 and CVE-2022-20775 were added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on February 25, 2026. CISA has assessed this activity as presenting an imminent threat to federal networks and issued Emergency Directive ED 26-03, requiring Federal Civilian Executive Branch (FCEB) agencies to inventory affected systems, apply patches, and assess for compromise.
The vulnerability affects all deployment types, on-premises, Cisco Hosted SD-WAN Cloud, Cisco Hosted SD-WAN Cloud Cisco Managed, and the FedRAMP environment.
Suggested Corrections:
There are no workarounds that fully remediate the vulnerability; patching is the only definitive fix. Fixed releases include 20.9.8.2 (estimated release February 27, 2026), 20.12.5.3/20.12.6.1, 20.15.4.2, and 20.18.2.1. Releases earlier than 20.9 require migration to a supported release.
As a temporary measure, on-premises customers should restrict traffic to ports 22 and 830 using ACLs, security group rules, or firewall rules, allowing only known controller IPs.
For threat hunting, defenders should audit /var/log/auth.log for unexpected Accepted publickey for vmanage-admin entries from unknown IPs, and validate all SD-WAN control connection peering events, particularly vManage peer types, against expected timestamps, source IPs, system IPs, and device roles.
Evidence of CVE-2022-20775 exploitation can be identified by checking for path traversal strings such as /../../ in username fields.
Organizations that suspect compromise should engage Cisco TAC, run the request admin-tech command on all control components, and collect logs, forensic disk/memory snapshots, and network telemetry for review.
Link(s):
https://sec.cloudapps.cisco.com/sec...coSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
A critical authentication bypass vulnerability exists in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). The flaw allows an unauthenticated remote attacker to bypass authentication by sending crafted requests, gaining login access as an internal, high-privileged non-root user account and subsequently accessing NETCONF to manipulate SD-WAN fabric configurations.
The vulnerability was reported by the Australian Signals Directorate's Australian Cyber Security Centre (ASD/ACSC), who determined that once exploited, malicious actors added a rogue peer and eventually gained root access to establish long-term persistence within SD-WAN infrastructure. Cisco Talos is tracking this exploitation activity under the cluster designation UAT-8616, which they assess with high confidence to be a highly sophisticated threat actor.
Security Officer Comments:
After the discovery of active exploitation in the wild, evidence of malicious activity traced back at least three years to 2023. Intelligence partners determined that the actor likely escalated to root by performing a software version downgrade, then exploiting a separate path traversal vulnerability, CVE-2022-20775, before restoring the original software version, effectively achieving persistent root access while concealing their method.
CISA and its partners have observed these actors targeting and compromising Cisco SD-WAN systems belonging to organizations globally, and both CVE-2026-20127 and CVE-2022-20775 were added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on February 25, 2026. CISA has assessed this activity as presenting an imminent threat to federal networks and issued Emergency Directive ED 26-03, requiring Federal Civilian Executive Branch (FCEB) agencies to inventory affected systems, apply patches, and assess for compromise.
The vulnerability affects all deployment types, on-premises, Cisco Hosted SD-WAN Cloud, Cisco Hosted SD-WAN Cloud Cisco Managed, and the FedRAMP environment.
Suggested Corrections:
There are no workarounds that fully remediate the vulnerability; patching is the only definitive fix. Fixed releases include 20.9.8.2 (estimated release February 27, 2026), 20.12.5.3/20.12.6.1, 20.15.4.2, and 20.18.2.1. Releases earlier than 20.9 require migration to a supported release.
As a temporary measure, on-premises customers should restrict traffic to ports 22 and 830 using ACLs, security group rules, or firewall rules, allowing only known controller IPs.
For threat hunting, defenders should audit /var/log/auth.log for unexpected Accepted publickey for vmanage-admin entries from unknown IPs, and validate all SD-WAN control connection peering events, particularly vManage peer types, against expected timestamps, source IPs, system IPs, and device roles.
Evidence of CVE-2022-20775 exploitation can be identified by checking for path traversal strings such as /../../ in username fields.
Organizations that suspect compromise should engage Cisco TAC, run the request admin-tech command on all control components, and collect logs, forensic disk/memory snapshots, and network telemetry for review.
Link(s):
https://sec.cloudapps.cisco.com/sec...coSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk