A severe security flaw has been identified in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager, which cybercriminals have exploited since 2023. This vulnerability, designated as CVE-2026-20127 with a critical CVSS score of 10.0, permits remote attackers to gain administrative access by bypassing authentication protocols through crafted requests.
Understanding the Exploitation
The flaw stems from an ineffective peering authentication mechanism within the affected systems. Exploiters can achieve elevated privileges, operating as a high-privileged, non-root user. This access allows manipulation of network configurations using NETCONF. The vulnerability is prevalent across various deployment scenarios, including On-Prem, Cisco Hosted SD-WAN Cloud, and Cisco Managed environments, posing significant risk to exposed systems.
Cisco, recognizing the gravity of the issue, has credited the Australian Cyber Security Centre for identifying the flaw. They monitor the exploitation under the code name UAT-8616, labeling the perpetrators as sophisticated threat actors. The vulnerability has been mitigated in several software versions, urging users to update to secure releases promptly.
Security Measures and Recommendations
Cisco advises users to scrutinize logs for unauthorized access attempts, particularly looking for suspicious entries in the ‘/var/log/auth.log’ file related to ‘vmanage-admin’ from unknown IPs. Additionally, it’s crucial to verify these IP addresses against configured System IPs in the SD-WAN Manager’s UI.
The Australian Cyber Security Centre has highlighted the threat posed by rogue peers joining network management planes, allowing attackers to perform trusted actions within the SD-WAN environment. The exploitation strategy includes using a known vulnerability, CVE-2022-20775, to escalate privileges further, emphasizing the need for vigilance and timely updates.
Broader Implications and Response
The persistent targeting of network edge devices by cyber actors, especially those aiming at critical infrastructure sectors, underscores the urgency for robust cybersecurity measures. The Cybersecurity and Infrastructure Security Agency (CISA) has reacted by adding these vulnerabilities to its Known Exploited Vulnerabilities catalog, mandating swift patching among federal agencies.
CISA has issued directives for comprehensive audits of SD-WAN systems, requiring agencies to inventory devices, apply necessary updates, and assess potential compromises. Compliance deadlines have been set, emphasizing the importance of proactive steps to safeguard against potential threats.
The increasing sophistication of cyber threats necessitates continuous monitoring and prompt action to protect essential network infrastructure. Organizations are urged to follow recommended practices and maintain up-to-date defenses to mitigate the risks posed by such vulnerabilities.
