CISCO says a critical zero‑day in its Catalyst SD-WAN Controller, tracked as CVE-2026-20127, has been exploited in the wild for at least three years. The flaw is an authentication bypass with a maximum CVSS score of 10, and an attacker can log into the controllers as an internal, high‑privileged, non‑root user by sending crafted requests, according to Cisco's security advisory.
Cisco Talos also noted that exploitation activity goes back to “at least three years (2023)” in a blog post, which links to a threat hunting guide produced with the Australian Signals Directorate and partners. The guidance describes the actor gaining root access by downgrading a vSmart controller to an earlier version, then using CVE-2022-20775 to create local accounts for persistence.
Mitigations include updating to a fixed version, restricting Internet exposure, disabling HTTP access for the web UI, and changing the default administrator password, with the threat hunting guide urging checks for rogue peering, version downgrades, and unexpected reboots.