A maximum-gravity security failure has once again placed network edge devices in the focus: Cisco has confirmed that critical vulnerability in its SD-WAN Catalyst drivers and managers (formerly known as vSmart and vManage) is being actively exploited since 2023 by a sophisticated actor, and has resulted in coordinated responses from several national and commercial security teams.
Vulnerability, listed as CVE-2026-20127 and with CVSS score 10.0, allows a remote attacker without authentication to skip authentication mechanisms and assume administrative privileges within the SD-WAN management plan. In practice, a malicious device can "join" as a pair of confidence in the control plane and run actions that would normally require high-level credentials, such as manipulating network configuration through NETCONF or SSH.
Cisco has explained that the root of the problem is a failure in the peer authentication mechanism. The company attributes the discovery to the Australian Signals Directorate / Australian Cyber Security Centre (ASD-ACSC) and labels the campaign against its SD-WAN systems as UAT-8616, describing the responsible group as highly sophisticated. The Talos team, which has investigated the operation, stresses that the operation and post-commitment activity follow a pattern designed to establish persistence and move laterally within the affected installations - a typical behavior when the attackers seek support points in critical infrastructure. More information and technical analysis can be found on the Talos blog: https: / / blog.talosintelligence.com / uat-8616-sd-wan /.
The risks arising from this failure are not limited to the immediate lifting of privileges. In documented incidents, attackers have taken advantage of the initial gap to force a software version degradation, exploit a prior vulnerability (CVE-2022-20775) that allows you to climb to root, and then restore the original version to hide traces. The CVE-2022-20775 is collected in the NIST database and explains the climbing technique used as part of the attack chain: https: / / nvd.nist.gov / vuln / detail / cve-2022-20775.
After detection of intrusion attempts, attackers have proceeded to create local accounts that mimic other existing ones, add SSH keys authorized for root access, modify SD-WAN-related boot scripts and use NETCONF and SSH to communicate between management plane devices. They have also deleted records and commands from the history to complicate the investigations. These steps allow to maintain persistent access and operate with a certain sigil within critical corporate and infrastructure environments.
The scope is wide: have been indicated as affected on-premises deployments, cloud implementations of Cisco SD-WAN (including environments managed by Cisco and FedRAMP environments). Cisco has published a guide with corrected versions and migration recommendations; it is essential to review and implement the updates indicated in your official notice: Cisco's safety notice.
The seriousness of the incident has motivated regulatory actions: the US Infrastructure and Cybersecurity Agency. USA (CISA) has added both CVE-2026-20127 and CVE-2022-20775 to its catalogue of Known Exploited Vulnerabilities (KEV) and issued emergency guidelines for federal agencies. These orders require the inventor of SD-WAN systems, the application of patches and the submission of detailed reports in very tight time; the CISA note can be consulted at: CISA alert on inclusion in KEV and the related directives and guides are published here: ED-26-03: Mitigar vulnerabilities in Cisco SD-WAN and Hunt and Hardening Supplements.
For security teams and network managers, the priority should be immediate: to apply the parcheed versions that Cisco has published or to migrate to corrected releases according to your guide. In addition, it is appropriate to audit commitment signals in the affected systems; Cisco recommends reviewing the authentication file (/ var / log / auth.log) in search of entries such as "Accepted publickey for vmanage-admin" from unrecognized IP addresses and comparing those IPs with the System IPs configured in the manager's web interface. CISA also suggests checking records that indicate unexpected reinitiations or version degradations, reviewing debugging files and system-specific traces.
It's not just about patching: a complete response includes checking the existence of suspicious local accounts, reviewing recently added SSH keys, inspecting start and restoration scripts, and tracking NETCONF / SSH movements within the management plan. If there is a sign of commitment, it must be assumed that the attacker may have obtained persistence and therefore plan containment, eradication and recovery with change of keys and credentials, safe reinstallation of the software where appropriate and a forensic investigation that preserves evidence before cleaning systems.
This incident fits into a worrying trend: edge devices and network management systems are priority targets for actors seeking entry points with high strategic value. As researchers have pointed out, compromising the control plane of a SD-WAN allows an attacker to influence the behaviour of the network in multiple locations and to exfilter or manipulate traffic in a very harmful way.
If your organization uses Cisco Catalyst SD-WAN, the essential thing now is to act quickly: review Cisco's notice and technical recommendations, audit the above records, check the integrity of local accounts and keys, and, if necessary, coordinate with incident response teams and the relevant regulatory bodies. For official information and technical steps, see Cisco's notice and Talos analysis; and for mandatory measures or compliance requirements, follow the guidelines and inclusion in the CISA KEV catalogue: Cisco, Talos, NVD (CVE-2022-20775) and CISA KEV.
The lesson is clear: keeping the critical elements of the network infrastructure up to date and actively monitoring management plans is no longer an optional good practice, but an operational need to prevent intrusions that can scale up to compromise distributed services and critical assets.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...