A recently released proof-of-concept (PoC) exploit has brought to light a critical zero-day vulnerability identified as CVE-2026-20127 in Cisco Catalyst SD-WAN Controller and SD-WAN Manager. This severe security flaw has been actively targeted by cybercriminals since at least 2023, posing significant risks to global critical infrastructure.
Details of the Exploit
The PoC, shared on GitHub by zerozenxlabs, includes a functional Python exploit script and a JSP webshell named cmd.jsp. It also offers a deployable WAR file, which significantly lowers the entry barrier for potential attackers aiming to exploit this vulnerability.
According to Cisco Talos, which is monitoring the threat under the identifier UAT-8616, this represents a sophisticated cyber threat actor. The vulnerability arises from a flaw in the peering authentication mechanism of affected Cisco SD-WAN systems, allowing unauthenticated remote attackers to bypass login procedures and access administrative sessions with ease.
Mechanism of the Attack
Once the vulnerability is exploited, attackers can follow a complex attack chain. Initially, they exploit the CVE-2026-20127 vulnerability to gain high-level, non-root admin access, subsequently adding a rogue peer device to the SD-WAN management and control plane.
The attack progresses with a strategic software version downgrade, exploiting the older CVE-2022-20775 to achieve full root access. After achieving their objectives, attackers restore the system to its original software version to obfuscate their activities.
Moreover, attackers establish persistence by adding unauthorized SSH keys and modifying configuration settings, which facilitates lateral movement across the network. They also employ tactics to erase forensic evidence, including clearing logs and histories.
Response and Mitigation
In response, Cisco Talos strongly advises administrators to conduct immediate audits of control connection peering events in SD-WAN logs. Indicators such as unauthorized peer connections, unexpected IP sources, and anomalous timestamps should be treated with high urgency as potential signs of compromise.
Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2026-20127 in its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply patches promptly. Organizations using Cisco Catalyst SD-WAN are encouraged to review the security advisory and consult the Australian Cyber Security Centre’s SD-WAN Threat Hunting Guide for further instructions.
Stay updated with cybersecurity news by following us on Google News, LinkedIn, and X, and reach out if you have stories to share.
