Cisco reports that a critical vulnerability in Catalyst SD-WAN has been exploited since 2023. The vulnerability, tracked as CVE-2026-20127, allows attackers to compromise controllers and add fake peers to networks. CISA is giving US government agencies two days to patch, and other organizations would be wise to adopt that sense of urgency.
The zero-day in Cisco Catalyst SD-WAN is being actively exploited, according to Cisco’s security arm Talos. The research team discovered that attackers are using this vulnerability to compromise controllers and connect malicious peers to target networks. The group UAT-8616, which is not yet known, has been exploiting the flaw since at least 2023.
The problem lies in the peering authentication mechanism. According to the National Vulnerability Database (NVD), peering authentication is not working properly. This allows malicious actors to gain access to affected Cisco Catalyst SD-WAN Controllers via specially crafted requests. They then log in as an internal, privileged, non-root user account.
Access to NETCONF
This account gives attackers access to NETCONF. This access allows them to manipulate network configurations for the SD-WAN fabric. The severity of the vulnerability is also evident from the attack method: UAT-8616 would start by downgrading the SD-WAN solution to an older, vulnerable version. After gaining root access, the criminals restore the original firmware version to cover their tracks.
The US security agency CISA added the bug to its Known Exploited Vulnerabilities catalog. This gives Federal Civilian Executive Branch agencies only two days to patch or discontinue use of the product. Normally, CISA allows three weeks, but in this case, they consider the threat too urgent. Other organizations will also have to act quickly to prevent exploitation.
Cisco released patches for multiple versions. Organizations running SD-WAN versions older than 20.9.1 must migrate. The fixes are available in versions 20.9.8.2, 20.12.6.1, 20.12.5.3, and 20.18.2.1. There are no workarounds, but Cisco advises administrators to check log files for suspicious activity and restrict access via access control lists.