Threat Advisories:
MIMICRAT Remote Control Delivered Through Trusted Platforms CVE-2026-20127: UAT-8616 Exploiting Cisco Catalyst SD-WAN Zero-Day SANDWORM_MODE: npm Supply Chain Attack Targeting AI Development Tools Mercenary Akula’s Court-Themed Campaign Hits European Finance Operation Olalampo: MuddyWater’s Expanding Campaign Across MENA February 2026 Linux Patch Roundup CRESCENTHARVEST an Espionage Campaign Disguised as Solidarity Fake Homebrew ClickFix Campaign Delivering Cuckoo Stealer on macOS CVE-2026-22769: UNC6201 Exploiting Dell RecoverPoint Zero-Day OysterLoader Threat Model: Silent, Signed, Systematic ClickFix to Control: Matanbuchus Campaign Deploys AstarionRAT in Minutes UNC1069’s Social Engineering Operations Focused on Crypto Sector Google Chrome CSS Use-After-Free Zero-Day Vulnerability (CVE-2026-2441) CVE-2026-1731: Active Exploitation of BeyondTrust WebSocket RCE Apple Zero-Day Exploited in Targeted Attacks (CVE-2026-20700) Microsoft’s February 2026 Patch Tuesday Fixes Active Zero-Day Exploits Critical API Flaw Puts SmarterMail Servers at Risk TGR-STA-1030: Global State-Aligned Cyber Espionage Campaign Transparent Tribe Targets India’s Startup Ecosystem with Crimson RAT Amaranth-Dragon: Low Noise, High Impact Espionage in Southeast Asia
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

CVE-2026-20127: UAT-8616 Exploiting Cisco Catalyst SD-WAN Zero-Day

Red | Attack Report
Download PDF

Summary

CVE-2026-20127 is a critical authentication bypass vulnerability (CVSS v3.1: 10.0) affecting Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). This Cisco Catalyst SD-WAN zero-day vulnerability has been actively exploited since at least 2023 by the nation-state-linked threat actor UAT-8616, targeting global critical infrastructure environments.

The flaw stems from a fundamental failure in the SD-WAN peering authentication mechanism, allowing unauthenticated remote attackers to impersonate trusted SD-WAN components and gain high-privileged control-plane access. Because the vulnerability is inherent to the authentication logic itself, no workaround exists — immediate patching is the only complete remediation. The Cisco Catalyst SD-WAN zero-day impacts on-premises deployments, Cisco Hosted SD-WAN Cloud, FedRAMP environments, and end-of-maintenance versions.

Vulnerability Details

CVE-2026-20127 — Cisco Catalyst SD-WAN Authentication Bypass

CVE-2026-20127 carries a maximum CVSS v3.1 score of 10.0, classified as a zero-day vulnerability actively listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. The Cisco Catalyst SD-WAN Controller and Manager authentication bypass originates from the trust validation process that establishes secure control-plane relationships between SD-WAN components. This process fails to properly verify identity and credentials, enabling an attacker to introduce a rogue device accepted as a legitimate SD-WAN peer.

An unauthenticated remote attacker exploits this Cisco SD-WAN vulnerability by sending specially crafted requests to an exposed controller or manager interface. Successful exploitation grants access as the internal “vmanage-admin” account — a high-privileged non-root user. From there, the attacker can access the NETCONF interface and manipulate configurations across the entire SD-WAN fabric, including routing policies, segmentation rules, and peer relationships. Compromise of the SD-WAN controller enables broad control-plane manipulation with high impact to confidentiality, integrity, and availability.

Adversaries exploiting CVE-2026-20127 have chained the attack with CVE-2022-20775 — a Cisco SD-WAN path traversal privilege escalation flaw — to achieve full root-level access. Attackers deliberately downgrade the controller software to exploit the path traversal vulnerability, then restore the original version to obscure evidence of compromise. Post-exploitation activity observed in UAT-8616 campaigns includes:

  • Unauthorized SSH key deployment
  • Creation and deletion of malicious accounts
  • Log tampering and truncation
  • Rogue control-plane peering events
  • Persistent backdoor access
CVE IDVulnerability NameAffected ProductZero-DayCISA KEVPatch Available
CVE-2026-20127Cisco Catalyst SD-WAN Controller and Manager Authentication BypassCisco Catalyst SD-WAN Controller / SD-WAN Manager
CVE-2022-20775Cisco SD-WAN Path Traversal VulnerabilityCisco SD-WAN Software

 

 

 

 

Affected Versions (CVE-2026-20127): Cisco Catalyst SD-WAN Controller and Manager versions before 20.9.8.2, 20.12.6.1, 20.12.5.3, 20.15.4.2, and 20.18.2.1 (CWE-287)

Affected Versions (CVE-2022-20775): Cisco SD-WAN Software versions before 20.6.3 to 20.6.4 (CWE-25, CWE-22)

Recommendations

1. Apply Cisco Security Updates Immediately

Upgrade all Cisco Catalyst SD-WAN Controller and SD-WAN Manager instances to the fixed software releases specified by Cisco: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, or 20.18.2.1, depending on your current release train. For releases earlier than 20.9 or end-of-life releases such as 20.11, 20.13, 20.14, and 20.16, migrate to a supported fixed release immediately. This is the only complete remediation for CVE-2026-20127, as no workarounds exist.

2. Conduct Forensic Investigation for Indicators of Compromise

Review the auth.log file at /var/log/auth.log for entries containing “Accepted publickey for vmanage-admin” from unknown or unauthorized IP addresses. Check for creation or deletion of unfamiliar user accounts, unexpected root sessions, and unauthorized SSH keys in /home/vmanage-admin/.ssh/authorized_keys and /home/root/.ssh/authorized_keys. Also look for abnormally small or missing log files, evidence of software downgrades and reboots, and unexplained peering events in SD-WAN logs.

3. Restrict Network Access to SD-WAN Control Components

Implement ACLs, security group rules, and firewall rules to restrict traffic to ports 22 and 830 on SD-WAN controllers. Allow only known controller IPs and authorized management hosts. Prevent access from unsecured networks — particularly the internet — to SD-WAN management and control plane interfaces. Deploy controllers behind filtering devices and consider a two-layer firewall architecture.

4. Enable External Log Storage and Enhanced Monitoring

Forward all SD-WAN system logs to external, centralized logging infrastructure (e.g., a SIEM solution) to prevent log tampering by a threat actor with root access. Monitor for unexpected traffic patterns, unauthorized peering events, software version changes, and unusual administrative activity. Retain logs for a sufficient duration to support post-incident investigation.

5. Harden SD-WAN Administrative Access

Disable HTTP access to the Cisco Catalyst SD-WAN Manager web UI and use SSL/TLS with certificates from a trusted certificate authority. Change all default administrator passwords to strong, unique alternatives and create role-based user accounts with minimum necessary privileges. Disable unnecessary network services including HTTP and FTP. Refer to the Cisco Catalyst SD-WAN Hardening Guide for comprehensive guidance.

MITRE ATT&CK TTPs

TacticTechniqueSub-technique
Initial AccessT1190: Exploit Public-Facing Application
Privilege EscalationT1068: Exploitation for Privilege Escalation
Privilege EscalationT1078: Valid Accounts
PersistenceT1098: Account ManipulationT1098.004: SSH Authorized Keys
PersistenceT1136: Create Account
Defense EvasionT1070: Indicator RemovalT1070.003: Clear Command History
Defense EvasionT1601: Modify System ImageT1601.001: Patch System Image
Defense EvasionT1036: Masquerading
Lateral MovementT1021: Remote ServicesT1021.004: SSH
ImpactT1529: System Shutdown/Reboot
Resource DevelopmentT1588: Obtain CapabilitiesT1588.006: Vulnerabilities

References

  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
  • https://blog.talosintelligence.com/uat-8616-sd-wan/
  • https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
  • https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-priv-E6e8tEdF

 

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox