CISCO has rolled out emergency patches for a critical Catalyst SD-WAN zero-day (CVE-2026-20127, CVSS 10/10) that has been exploited in the wild, with fixes affecting Catalyst SD-WAN Controller and Manager versions listed in the advisory.
The flaw allows remote, unauthenticated attackers to bypass authentication and gain administrative privileges by targeting the peering authentication mechanism, potentially enabling login as “an internal, high-privileged, non-root user account” and access to NETCONF to manipulate SD-WAN fabric configurations.
Cisco notes that exploitation can lead to remote command execution and persistence, prompting updates to multiple versions including 20.12.6[.]1, 20.12.5[.]3, 20.12.6[.]1, 20.15.4[.]2, and 20.18.2[.]1, with a forthcoming inclusion in 20.9.8[.]2 expected this Friday. According to CISA, the agency has added the zero-day and CVE-2022-20775 to its Known Exploited Vulnerabilities catalog and issued Emergency Directive 26-03, urging federal agencies to patch promptly.
Five Eyes allies say threat actors have chained these flaws to bypass authentication, escalate privileges, and establish persistence on Catalyst SD-WAN systems, a scenario Cisco Talos attributes to UAT-8616, a highly sophisticated cyber threat actor active since at least 2023.