Critical alert CVE-2026-20127 in Cisco Catalyst SD-WAN no authentication and zero day attacks already under way

Cisco has alerted network managers: a critical vulnerability of authentication omission in Cisco Catalyst SD-WAN, registered as CVE-2026-20127, has been used in zero-day attacks that allowed remote attackers to commit controllers and add false pairs to SD-WAN infrastructure. The failure receives a maximum severity score (CVSS 10.0) and affects both the drivers (before vSmart) and the management consoles (before vManage) in on-premises and in the cloud administered by Cisco. The official notice of Cisco is available here: Cisco CVE-2026-20127 advisory.

According to Cisco's technical note, the source of the problem is in the peer authentication mechanism (peering), which does not work properly and allows specially manipulated requests to skip the usual validations. In practice, a successful explosion can give access to a high-privilege (non-root) internal account on the controller, from which the attacker can use NETCONF to change the SD-WAN mesh settings and establish elements that seem legitimate within the network.

Cisco's threat intelligence agency, Talos, has tracked the malicious activity with the label UAT-8616 and ensures that with high confidence it is a very sophisticated adversary. Talos also points out that there is evidence of active exploitation since at least 2023 and that the actor would have managed to climb to root temporarily returning the software to a vulnerable version and exploiting CVE-2022-20775 to get superuser privileges, then restore the original version and hide prints. Talos analysis is available on your blog: Cisco Talos - UAT-8616.

The seriousness of the incident has led to a coordinated response between suppliers and authorities. On February 25, 2026, the U.S. agency CISA issued the Emergency Directive ED-26-03, which forces federal agencies to invent Cisco SD-WAN systems, collect forensic devices, ensure external storage of loops, apply updates and seek signs of commitment related to CVE-2026-20127 and CVE-2022-20775. The Directive set strict time limits for patching due to the imminent threat of exploitation for critical networks.

The UK government, through the NCSC, and CISA have published joint search and hardening guides to help organizations detect malicious activity and mitigate risks. Both institutions insist that SD-WAN management interfaces should not be exposed to the Internet and recommend, among other measures, placing control components behind firewalls, segmenting and isolating management plans and moving records to external systems to avoid their manipulation.

With regard to detection, Cisco and Talos urgently request to review the records of any Catalyst SD-WAN driver exposed outside the perimeter. A specific indicator is the appearance in / var / log / auth.log of entries where a public key is accepted for the user vmanage-admin from IP addresses that are not part of the known infrastructure. If unknown PIs that have achieved valid authentication are observed, the recommendation is to consider the compromised device and open a case with the Cisco (TAC) technical support.

Other signs of engagement shared by Talos, CISA and Cisco include unexpected creation or deletion of user accounts, off-the-clock root login, unauthorized SSH keys associated with vmanage-admin or root and changes that enable PermitRootLogin. It is also appropriate to monitor unusually small or missing registration files - possible sign of software erasing - and software degradation events followed by reinitiations, as they might point out that the attacker exploited the vulnerability of 2022 to scale privileges.

CISA provides a specific list of registration routes to be analysed to check whether CVE-2022-20775 was used, including / var / volatile / log / vdebug, / var / log / tmplog / vdebug and / var / volatile / log / sw _ script _ synccdb.log. In addition, its hunt & hardening guide instructs organizations to collect memory spins from the administrator, personal user directories and other forensic devices, and to ensure that the logs are copied outside the device to avoid alterations.

In terms of mitigation, Cisco has published patches that correct vulnerability and stresses that there is no temporary solution to eliminate it completely: the only way to definitely remedy CVE-2026-20127 is to update to a corrected version of the software. In addition, the authorities and Cisco recommend restricting access to management interfaces, applying the supplier's official hardening practices and sending records to external systems. If it is confirmed that the root account was compromised, agencies should opt for clean facilities rather than trying to "clean" a system already violated.

This incident puts on the table again a repeated but essential lesson for network operations in distributed environments: the orchestration and control platforms are extremely sensitive because they centralize trust. Add a false pair to the SD-WAN mesh allows the attacker to encrypt apparently legitimate traffic and announce routes controlled by it, facilitating side movements and persistence within the corporate network.

Finally, Cisco publicly recognized the collaboration of the Australian Signals Directorate / Australian Cyber Security Centre in the discovery of the failure, a reminder that early detection is often the result of cooperation between companies and agencies. If you manage or depend on an implementation of Cisco Catalyst SD-WAN, check the linked guides and notices, prioritize the installation of the patches and, in case of detection of suspicious activity, initiate the recommended forensic actions and notify the supplier and the authorities as appropriate.