Security teams running Cisco Catalyst SD-WAN may want to sit down for this one. Cisco disclosed this week that a critical authentication bypass flaw — tracked as CVE-2026-20127 — carried a perfect CVSS score of 10.0 and had been actively exploited since at least 2023. Three years. With no patch, no public warning, and minimal forensic footprint left behind.
The flaw lives inside the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage). The authentication check simply wasn’t working. An attacker could send crafted requests to vulnerable internet-facing systems and log in as a high-privileged internal user — no credentials required.
From there, they accessed NETCONF on port 830 and manipulated the entire SD-WAN fabric’s network configuration. The most alarming move: adding a rogue peer to the network management plane. That rogue device looked like a legitimate SD-WAN component to the rest of the network — trusted, acting freely within the management and control plane.
Cisco Talos is tracking the threat actor behind this as UAT-8616, describing them with high confidence as “highly sophisticated.” Their attack chain didn’t stop at initial access. After logging in, investigators found the group likely downgraded the SD-WAN software to an older version vulnerable to a second flaw (CVE-2022-20775, a path traversal bug that allows root privilege escalation) then restored the original software version to cover their tracks. Root access. Clean logs. Business as usual.
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) first flagged the zero-day, and confirmed the compromise of SD-WAN deployments dating back to 2023. The source wasn’t identified until late 2025.
On February 25, 2026, CISA issued Emergency Directive 26-03, requiring all Federal Civilian Executive Branch agencies to inventory affected systems, collect forensic artifacts, store logs externally, and apply patches by 5:00 PM ET on February 27. Both CVE-2026-20127 and CVE-2022-20775 were added to CISA’s Known Exploited Vulnerabilities catalog. Five Eyes partners — including the UK’s NCSC and Canada’s Cyber Centre — issued parallel warnings the same day.
Three years is a long time to have an uninvited guest in critical network infrastructure. Investigators found no evidence of lateral movement outside SD-WAN components, and no command-and-control malware was detected — which tells you something about how disciplined this operation was.
That operational restraint is the point. According to Ben Harris, CEO of watchTowr, the precision and patience of this campaign aligns more closely with state-sponsored espionage than financially motivated crime. The attackers weren’t there to cause chaos. They were there to stay.
Infrastructure-level compromises like this are especially difficult to detect. Unlike endpoint malware, an authentication bypass in a management system produces almost no behavioral signature — particularly when the attacker is methodically clearing logs under /var/log, wiping command history, and reverting software versions to maintain cover.
The scale of affected organizations remains undisclosed, but the targets include critical infrastructure sectors. Cisco has confirmed that versions 20.11, 20.13, 20.14, 20.16, and all versions prior to 20.9 have reached end-of-life and will not receive patches.
Cisco has released fixes across the following versions: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1. If you’re running anything older than 20.9.1, migrate to a patched release — there are no workarounds.
Beyond patching, Cisco and CISA recommend taking these steps now:
SD-WAN management interfaces should never be exposed to the public internet. If yours are, that’s the first thing to fix. Restrict access, place controllers behind firewalls, and isolate management interfaces.
Check /var/log/auth.log for suspicious “Accepted publickey for vmanage-admin” entries from unknown IPs, and validate them against authorized System IPs in the web UI. Run show sdwan omp peers detail to scan for rogue peers, and review active NETCONF sessions. If a peer’s system IP doesn’t match your documented device assignments, treat it as a red flag.
Disable HTTP access for the Catalyst SD-WAN Manager web UI administrator portal, change default administrator passwords, and forward logs to external storage so they can’t be wiped by an attacker with root access.
If you have any reason to suspect compromise, Cisco says: fully rebuild. Don’t just patch and move on.
