CISCO has disclosed a critical SD-WAN vulnerability, tracked as CVE-2026-20127 with a CVSS of 10.0, which has been exploited since 2023 to grant unauthenticated attackers full administrative access to Catalyst SD-WAN Controller and Manager by sending crafted requests.
According to Cisco Talos, the exploitation is attributed to a highly sophisticated threat actor dubbed UAT-8616, who investigators believe escalated to root access by downgrading software, exploiting CVE-2022-20775, and then restoring the original version to maintain stealth. The Australian Cyber Security Centre (ASD-ACSC) is credited by Cisco for reporting the issue, and Cisco tracks related exploitation under UAT-8616.
Cisco notes that the flaw affects all Cisco Catalyst SD-WAN deployments, including On-Prem, Cisco Hosted SD-WAN Cloud, and various managed environments, and urges customers to upgrade to patched releases such as 20.9.8[.]2, 20.12.5[.]3, 20.12.6[.]1, 20.15.4[.]2, and 20.18.2[.]1, since there are no full workarounds beyond temporary port restrictions. The company also advises reviewing logs for suspicious SSH-like activity and following its hardening guidance to mitigate ongoing or potential compromises.