Cisco has deployed urgent updates to address a severe security flaw in its Catalyst SD-WAN systems, which was actively exploited by cyber attackers. Identified as CVE-2026-20127, this zero-day vulnerability is rated with a maximum severity score of 10/10 on the CVSS scale.
Details of the Vulnerability
The flaw in question allows remote attackers to bypass authentication protocols and gain administrative access to vulnerable devices. Specifically, it compromises the peering authentication mechanism of the Catalyst SD-WAN Controller and Manager, previously known as SD-WAN vSmart and vManage, respectively.
Taking advantage of this vulnerability, attackers can use crafted requests to log in as a high-privileged, non-root user, enabling them to manipulate network configurations through NETCONF, Cisco noted in its advisory.
Patch Release and Exploitation
Cisco has addressed this security issue with the release of updated versions of its Catalyst SD-WAN software, including versions 20.12.6.1, 20.12.5.3, 20.15.4.2, and 20.18.2.1. An additional update, version 20.9.8.2, is scheduled for release shortly.
While the vulnerability has seen limited exploitation, Cisco has issued indicators of compromise (IoCs) to assist organizations in detecting malicious activities targeting their SD-WAN infrastructures exposed to the internet.
Broader Security Measures and Threat Actor Involvement
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this zero-day, along with another previously known vulnerability CVE-2022-20775, to its catalog of Known Exploited Vulnerabilities. CISA has urged federal agencies to apply patches for both vulnerabilities within a tight timeframe.
These vulnerabilities have been reportedly exploited by a group labeled by Cisco Talos as UAT-8616, a sophisticated cyber threat actor identified in 2023. The attackers have been known to downgrade software to vulnerable versions to maintain access and control.
Moreover, while not directly linked, Talos has recognized activities by a China-nexus group potentially exploiting other zero-day vulnerabilities in Cisco products.
Alongside these updates, Cisco has also introduced solutions for other flaws in its Catalyst SD-WAN Manager and additional products, although these have not yet been exploited.
The swift response to these vulnerabilities underlines the importance of keeping network systems updated and secure against evolving cyber threats.
