Cisco SD-WAN Zero-Day Exploited Since 2023 by Sophisticated Threat Actor — CVSS 10.0 Authentication Bypass Triggers CISA Emergency Directive
A CVSS 10.0 authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager has been under active exploitation since 2023 — over two years before disclosure — by a highly sophisticated threat actor that used it to compromise network management infrastructure and establish persistent footholds in high-value organizations.
The vulnerability, tracked as CVE-2026-20127, was reported by the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) and has triggered CISA Emergency Directive 26-03 with a 24-hour patching deadline for federal agencies. Both CVE-2026-20127 and a chained privilege escalation flaw (CVE-2022-20775) have been added to CISA's Known Exploited Vulnerabilities catalog.
The Vulnerability
The flaw exists because the peering authentication mechanism in Cisco Catalyst SD-WAN fails to function properly. An unauthenticated remote attacker can send a crafted request to bypass authentication entirely and obtain elevated privileges as an internal high-privileged, non-root user account.
From that position, the attacker can access NETCONF on port 830 and manipulate the entire SD-WAN fabric's network configuration.
All deployment types are affected regardless of device configuration:
- On-premises deployments
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud — Cisco Managed
- Cisco Hosted SD-WAN Cloud — FedRAMP Environment
UAT-8616: Two Years of Undetected Access
Cisco is tracking the exploitation activity under UAT-8616, describing the actor as "highly sophisticated." According to ASD-ACSC, the threat actor has been compromising Cisco SD-WAN systems since 2023 using the zero-day exploit to:
- Create rogue peers — joined malicious devices to the SD-WAN management plane that appeared as legitimate but temporary network components, capable of performing trusted actions within the control plane
- Downgrade and escalate — abused the built-in update mechanism to stage a software version downgrade, then exploited CVE-2022-20775 (CVSS 7.8) to escalate from non-root to root, before restoring the original software version to hide the manipulation
- Establish persistence — created local user accounts mimicking legitimate ones, added SSH authorized keys for root access, and modified SD-WAN startup scripts
- Move laterally — used NETCONF and SSH to connect between SD-WAN appliances within the management plane
- Cover tracks — purged logs under
/var/log, cleared command history, and wiped network connection history
CISA Emergency Directive 26-03
CISA has issued Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems, mandating federal agencies to:
- By February 26, 2026 (11:59 PM ET) — provide a catalog of all in-scope SD-WAN systems
- By March 5, 2026 — submit a detailed inventory of all in-scope products and actions taken
- By March 26, 2026 — submit a list of all hardening steps completed
- Apply patches within 24 hours of availability
Patched Versions
| Current Version | Fixed Version |
|---|---|
| Prior to 20.9 | Migrate to fixed release |
| 20.9 | 20.9.8.2 (est. Feb 27, 2026) |
| 20.11 | 20.12.6.1 |
| 20.12.5 | 20.12.5.3 |
| 20.12.6 | 20.12.6.1 |
| 20.13 – 20.15 | 20.15.4.2 |
| 20.16 – 20.18 | 20.18.2.1 |
Defender Recommendations
- Patch immediately — apply the relevant fixed version; this is a CVSS 10.0 with confirmed exploitation and a CISA emergency directive
- Audit authentication logs — check
/var/log/auth.logforAccepted publickey for vmanage-adminentries from unknown or unauthorized IPs - Verify system IPs — cross-reference IPs in auth.log against configured System IPs listed in the SD-WAN Manager web UI (Devices > System IP)
- Check for version downgrades — analyze
/var/volatile/log/vdebug,/var/log/tmplog/vdebug, and/var/volatile/log/sw_script_synccdb.logfor unexpected reboot or downgrade events - Hunt for rogue peers — review the SD-WAN control plane for any unrecognized devices or temporary components
- Restrict internet exposure — SD-WAN controllers with ports exposed to the internet are at highest risk; restrict management access to trusted networks immediately
- Inspect for persistence mechanisms — check for unauthorized local accounts, SSH authorized keys, and modified startup scripts
