CISCO has disclosed a maximum-severity flaw in the Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage), tracked as CVE-2026-20127 (CVSS 10.0), which has been exploited in the wild since 2023 to grant administrative access via an unauthenticated remote attack.
According to Cisco, the vulnerability stems from a peering authentication mechanism that can be bypassed, allowing a threat actor to access NETCONF and manipulate the SD-WAN fabric using a non-root user account; AS ASD-ACSC and Talos describe the threat actor as UAT-8616, a cluster of high‑level cyber threats. The UAT-8616 activity has prompted CISA to add CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities catalog, with a directive for federal agencies to apply fixes within 24 hours.
Cisco advises customers to audit /var/log/auth[.]log for entries showing “Accepted publickey for vmanage-admin” from unfamiliar IPs and to compare IPs against System IPs in the SD-WAN Manager UI. The advisory also notes that exploitation has included staging rogue peers on the management plane and using the built-in update mechanism to downgrade software and escalate to root via CVE-2022-20775 before restoring the original version.