Newly disclosed maximum severity security flaws in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) have been exploited in the wild as part of malicious activity dating back to 2023.
This vulnerability, tracked as CVE-2026-20127 (CVSS score: 10.0), allows an unauthenticated, remote attacker to bypass authentication and gain administrative privileges on an affected system by sending a crafted request to the affected system.
Successful exploitation of this flaw could allow an adversary to gain elevated privileges on the system as an internal highly privileged non-root user account.
“This vulnerability exists because the peering authentication mechanism on the affected system is not functioning properly,” Cisco said in an advisory, adding that an attacker could leverage a non-root user account to access NETCONF and manipulate the network configuration of the SD-WAN fabric.
This drawback affects the following deployment types, regardless of device configuration:
On-Premise Deployment Cisco Hosted SD-WAN Cloud Cisco Hosted SD-WAN Cloud – Cisco Managed Cisco Hosted SD-WAN Cloud – FedRAMP Environment
Cisco confirmed that the Australian Signals Directorate-Australian Cyber Security Center (ASD-ACSC) reported the vulnerability. The networking equipment giant describes the cluster as a “highly sophisticated cyber threat actor” and is tracking the exploit and subsequent post-breach activity under the name UAT-8616.
This vulnerability is resolved in the following versions of Cisco Catalyst SD-WAN:
Versions prior to 20.91 – Migrate to fix release. Version 20.9 – 20.9.8.2 (planned release date February 27, 2026) Version 20.111 – 20.12.6.1 Version 20.12.5 – 20.12.5.3 Version 20.12.6 – 20.12.6.1 Version 20.131 – 20.15.4.2 Version 20.141 – 20.15.4.2 Version 20.15 – 20.15.4.2 Version 20.161 – 20.18.2.1 Version 20.18 – 20.18.2.1
“Cisco Catalyst SD-WAN controller systems with ports exposed to the Internet are at risk of compromise,” Cisco warns.
The company also recommends customers audit the “/var/log/auth.log” file for entries related to “vmanage-admin authorized public key” from unknown or unauthorized IP addresses. We also recommend checking the IP address in the auth.log log file against the configured system IP listed in the Cisco Catalyst SD-WAN Manager Web UI (WebUI > Device > System IP).
According to information released by ASD-ACSC, UAT-8616 has been able to infiltrate Cisco SD-WAN and gain elevated access since 2023 through a zero-day exploit.
“This vulnerability allowed a malicious cyber attacker to create a rogue peer that connects to an organization’s SD-WAN network management or control plane,” ASD-ACSC said. “A rogue device appears as a new, but ephemeral, adversary-controlled SD-WAN component that can perform trusted actions within the management and control planes.”
After successfully compromising a public application, attackers were found to leverage the built-in update mechanism to incrementally downgrade the software version, exploiting CVE-2022-20775 (CVSS score: 7.8), a high-severity privilege escalation bug in the CLI of Cisco SD-WAN software, to escalate to the root user and restore the software to the version it was originally running.
Some of the subsequent steps initiated by threat actors are:
I created a local user account that mimics other local user accounts. Added Secure Shell Protocol (SSH) authentication keys for root access and modified SD-WAN related startup scripts to customize the environment. Connect to and from the Cisco SD-WAN appliance in the management plane using network configuration protocols and SSH on port 830 (NETCONF). We took steps to remove evidence of the intrusion by clearing logs under ‘/var/log’, command history, and network connection history.
“The attempted exploitation of UAT-8616 demonstrates the continued trend of targeting network edge devices by cyber attackers seeking to establish a durable foothold in high-value organizations, including the critical infrastructure (CI) sector,” Talos said.
Due to this development, the Cybersecurity and Infrastructure Security Agency (CISA) has added both CVE-2022-20775 and CVE-2026-20127 to its Known Exploited Vulnerabilities (KEV) Catalog, requiring federal civilian executive branch (FCEB) agencies to apply fixes within the next 24 hours.
To check for version downgrades or unexpected restart events, CISA recommends analyzing the following logs:
/var/volatile/log/vdebug /var/log/tmplog/vdebug /var/volatile/log/sw_script_synccdb.log
CISA also issued a new emergency directive, 26-03: Mitigating Vulnerabilities in Cisco SD-WAN Systems, which requires federal agencies to inventory SD-WAN devices, apply updates, and assess potential for compromise.
To this end, agencies are ordered to provide a catalog of all eligible SD-WAN systems on their networks by February 26, 2026 at 11:59 PM ET. In addition, a detailed inventory of all affected products and actions taken must be submitted by March 5, 2026 at 11:59 PM ET. Finally, agencies must submit a list of all actions they have taken to enhance the environment by March 26, 2026 at 11:59 PM ET.
Source link
