SECURITYWEEK reports that a recent Cisco Catalyst SD-WAN vulnerability, initially exploited as a zero-day, is now being used more widely by threat actors. WatchTowr notes exploitation of four Catalyst SD-WAN flaws, including CVE-2026-20127, which was previously exploited alongside CVE-2022-20775 to bypass authentication, escalate privileges, and establish persistence.
According to Cisco Talos, attacks have been linked to UAT-8616, a sophisticated threat actor of unspecified origin active since at least 2023, with the pace of exploitation for CVE-2026-20127 escalating to internet-wide activity. The largest spike in activity occurred on 4 March, with attacks spreading across multiple regions and slightly higher activity in U.S.-based areas, as described by WatchTowr’s threat intelligence team.
Cisco also updated a 25 February advisory to note exploitation of two additional flaws, CVE-2026-20128 and CVE-2026-20122, which authenticated attackers can use for privilege escalation.