Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023
Source: Bleeping Computer
Cisco Warns of Critical Authentication‑Bypass Vulnerability in Catalyst SD‑WAN (CVE‑2026‑20127)
TL;DR
- Vulnerability: CVE‑2026‑20127 – authentication bypass in Cisco Catalyst SD‑WAN Controller (vSmart) and Manager (vManage).
- Severity: 10.0 (critical).
- Impact: Remote attackers can compromise controllers, add rogue peers, and gain high‑privileged access.
- Exploitation: Actively exploited in zero‑day attacks; telemetry shows activity since 2023.
- Mitigation: Apply Cisco’s patches immediately; no full work‑around exists.
- Deadlines: Federal agencies must patch by 27 Feb 2026, 5:00 PM ET (CISA ED‑26‑03).
Background
Cisco’s advisory states that the flaw originates from a peering authentication mechanism that is not working properly. An attacker can send crafted requests to:
- Log in as an internal, high‑privileged, non‑root user.
- Access NETCONF and manipulate the SD‑WAN fabric configuration.
- Add a malicious rogue peer, allowing encrypted traffic to be hijacked and further lateral movement.
“A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD‑WAN Controller as an internal, high‑privileged, non‑root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD‑WAN fabric.” – Cisco CVE‑2026‑20127 advisory
Cisco credits the Australian Signals Directorate’s Australian Cyber Security Centre (ASD/ACSC) for reporting the issue.
Related Threat Intelligence
- Cisco Talos (UAT‑8616) – Confirms active exploitation, likely by a sophisticated threat actor.
- CVE‑2022‑20775 – Used in a “downgrade‑and‑exploit” chain to obtain root access, then revert to the original firmware to evade detection.
“By reverting to the original version after exploitation, the attacker could obtain root access while evading detection.” – Talos blog
Official Responses
| Organization | Action |
|---|---|
| Cisco | Released software updates for both Controller and Manager; no full work‑around. |
| CISA | Issued Emergency Directive 26‑03 (26 Feb 2026) – inventory, forensic collection, external log storage, patching. |
| UK NCSC | Published joint hunt‑and‑hardening guidance; urges never exposing SD‑WAN interfaces to the Internet. |
| Ollie Whitehouse (NCSC CTO) | “Organisations using Cisco Catalyst SD‑WAN products should urgently investigate their exposure … and hunt for malicious activity.” |
CISA Emergency Directive 26‑03 –
Joint Hunt & Hardening Guide –
UK NCSC Advisory –
Mitigation Steps
- Identify all Cisco Catalyst SD‑WAN Controllers (vSmart) and Managers (vManage) in your environment – on‑prem or cloud.
- Apply Cisco patches for CVE‑2026‑20127 (and CVE‑2022‑20775 if present).
- Verify that management interfaces are not exposed to the Internet; use VPN or jump‑hosts only.
- Collect forensic artifacts (logs, configuration snapshots) as per CISA guidance.
- Enable external log storage and continuous monitoring for rogue‑peer activity.
- Conduct threat‑hunting using the CISA/NCSC guidance (search for unexpected peer entries, NETCONF sessions, or firmware‑downgrade events).
- Report any compromise to the appropriate national CSIRT (e.g., NCSC for UK organisations).
References & Further Reading
- Cisco Advisory (CVE‑2026‑20127) –
- Cisco Talos Blog (UAT‑8616) –
- CVE‑2022‑20775 Advisory –
- CISA Emergency Directive 26‑03 –
- UK NCSC Advisory –
Visual Aid
Stay vigilant, patch promptly, and follow the joint CISA/NCSC hardening guidance to protect your SD‑WAN infrastructure.
Indicators of Compromise
Cisco and Talos are urging organizations to carefully review logs on any internet‑exposed Catalyst SD‑WAN Controller systems for signs of unauthorized peering events and suspicious authentication activity.
Authentication‑related IOCs
-
Log file to audit:
*/var/log/auth.log* -
Key entry to look for:
2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port ssh2: RSA SHA256: -
Actions:
- Compare the source IP address against the System IPs configured in the SD‑WAN Manager UI.
- Verify the IP against known management or controller infrastructure.
- If the IP is unknown, treat the device as compromised and open a Cisco TAC case.
Additional IOCs reported by Talos and government advisories
- Creation and deletion of malicious user accounts.
- Unexpected root logins.
- Unauthorized SSH keys in the
vmanage-adminorrootaccounts. - Configuration changes that enable
PermitRootLogin. - Unusually small or missing log files (possible log tampering).
- Software downgrades and unexpected reboots (potential exploitation of CVE‑2022‑20775).
Logs to examine for CVE‑2022‑20775 exploitation (CISA recommendation)
/var/volatile/log/vdebug
/var/log/tmplog/vdebug
/var/volatile/log/sw_script_synccdb.logForensic collection & hardening (CISA guidance)
- Collect admin core dumps and user home directories.
- Store logs externally to prevent tampering.
- If a root account is compromised, perform a fresh install rather than attempting to clean the existing system.
General mitigation recommendations
- Treat any unexpected peering event or unexplained controller activity as a potential IOC and investigate immediately.
- Network exposure:
- Place SD‑WAN control components behind firewalls.
- Isolate management interfaces.
- Forward logs to external log‑aggregation systems.
- Follow Cisco’s hardening guidance.
- Upgrade to a fixed software release to fully remediate CVE‑2026‑20127.
The future of IT infrastructure is here
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, you’ll learn how your team can:
- Reduce hidden manual delays
- Improve reliability through automated response
- Build and scale intelligent workflows on top of the tools you already use.