Critical Cisco SD-WAN Vulnerability PoC Exploit Released

Critical Cisco SD-WAN Vulnerability PoC Exploit Released

Posted on By CWS

A recently released proof-of-concept (PoC) exploit has brought to light a critical zero-day vulnerability identified as CVE-2026-20127 in Cisco Catalyst SD-WAN Controller and SD-WAN Manager. This severe security flaw has been actively targeted by cybercriminals since at least 2023, posing significant risks to global critical infrastructure.

Details of the Exploit

The PoC, shared on GitHub by zerozenxlabs, includes a functional Python exploit script and a JSP webshell named cmd.jsp. It also offers a deployable WAR file, which significantly lowers the entry barrier for potential attackers aiming to exploit this vulnerability.

According to Cisco Talos, which is monitoring the threat under the identifier UAT-8616, this represents a sophisticated cyber threat actor. The vulnerability arises from a flaw in the peering authentication mechanism of affected Cisco SD-WAN systems, allowing unauthenticated remote attackers to bypass login procedures and access administrative sessions with ease.

Mechanism of the Attack

Once the vulnerability is exploited, attackers can follow a complex attack chain. Initially, they exploit the CVE-2026-20127 vulnerability to gain high-level, non-root admin access, subsequently adding a rogue peer device to the SD-WAN management and control plane.

The attack progresses with a strategic software version downgrade, exploiting the older CVE-2022-20775 to achieve full root access. After achieving their objectives, attackers restore the system to its original software version to obfuscate their activities.

Moreover, attackers establish persistence by adding unauthorized SSH keys and modifying configuration settings, which facilitates lateral movement across the network. They also employ tactics to erase forensic evidence, including clearing logs and histories.

Response and Mitigation

In response, Cisco Talos strongly advises administrators to conduct immediate audits of control connection peering events in SD-WAN logs. Indicators such as unauthorized peer connections, unexpected IP sources, and anomalous timestamps should be treated with high urgency as potential signs of compromise.

Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2026-20127 in its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply patches promptly. Organizations using Cisco Catalyst SD-WAN are encouraged to review the security advisory and consult the Australian Cyber Security Centre’s SD-WAN Threat Hunting Guide for further instructions.

Stay updated with cybersecurity news by following us on Google News, LinkedIn, and X, and reach out if you have stories to share.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Gardyn Smart Garden Flaws Risk Remote Control by Hackers Gardyn Smart Garden Flaws Risk Remote Control by Hackers Cyber Security News
Phishing Attack Exploits GitHub Alerts to Distribute Malware Phishing Attack Exploits GitHub Alerts to Distribute Malware Cyber Security News
Microsoft 365 Admin Center Outage Blocks Access for Admins Worldwide Microsoft 365 Admin Center Outage Blocks Access for Admins Worldwide Cyber Security News
Critical Flaw in Cisco IMC Software Exposes Systems Critical Flaw in Cisco IMC Software Exposes Systems Cyber Security News
Azure Identity Token Vulnerability Enables Tenant-Wide Compromise in Windows Admin Center Azure Identity Token Vulnerability Enables Tenant-Wide Compromise in Windows Admin Center Cyber Security News
Threat actors Breach High Value targets like Google in Salesforce Attacks Threat actors Breach High Value targets like Google in Salesforce Attacks Cyber Security News