Recent reports indicate a significant rise in the exploitation of a Cisco Catalyst SD-WAN vulnerability. Initially targeted as a zero-day, this security loophole has become a frequent target for cybercriminals, according to exposure management firm WatchTowr.
Escalating Threat Activity
WatchTowr has identified four vulnerabilities within the Cisco Catalyst SD-WAN, including CVE-2026-20127, which has been actively exploited alongside an older flaw, CVE-2022-20775. This combination is utilized to bypass security measures, escalate user privileges, and maintain unauthorized access to systems.
Cisco’s security division, Talos, has tracked these exploits back to a sophisticated threat group known as UAT-8616. Although the group’s origins and motives remain unclear, their activities have been ongoing since at least 2023.
Global Exploitation Patterns
Ryan Dewhurst, head of proactive threat intelligence at WatchTowr, shared with SecurityWeek that the exploitation of CVE-2026-20127 is now widespread. He noted, “This has evolved from a targeted operation to a global phenomenon.” The increase in attack attempts was particularly pronounced on March 4, with numerous IP addresses involved and notable activity recorded in the United States.
Dewhurst warned of continued threats, stating, “As exploitation becomes more widespread, any exposed system should be assumed compromised unless verified otherwise.”
Ongoing Security Challenges
Cisco has updated its advisory from February 25 to include information on two additional SD-WAN vulnerabilities: CVE-2026-20128 and CVE-2026-20122. Both can be exploited by authenticated users to gain elevated privileges. While details of these attacks are scarce, they appear to involve multiple chained vulnerabilities.
There is uncertainty about whether the same threat actors are responsible for all current campaigns targeting SD-WAN vulnerabilities. Cisco recently flagged a zero-day vulnerability in its Secure Email Gateway appliances, attributed to China-linked hackers, though it’s unclear if these incidents are connected.
The continued discovery and exploitation of such vulnerabilities underscore the importance of robust cybersecurity measures. Organizations using Cisco products are advised to implement the latest security patches and monitor their systems closely.
