Cisco Catalyst SD-WAN Exploitation Threat Report
TL;DR
Cisco Talos reports an ongoing exploitation of CVE-2026-20127 affecting the Cisco Catalyst SD-WAN Controller, allowing unauthorized remote access. This campaign, tracked as UAT-8616, is attributed to a sophisticated threat actor targeting critical infrastructure.
Main Analysis
Cisco Talos has identified active exploitation of a critical vulnerability (CVE-2026-20127) within the Cisco Catalyst SD-WAN Controller, enabling unauthenticated attackers to bypass authentication and secure administrative privileges. The vulnerability is exploited through a crafted request, allowing attackers to operate as a high-privileged user. The threat actor behind this campaign, designated UAT-8616, exhibits advanced techniques, including reverting software versions to exploit an additional vulnerability (CVE-2022-20775) to gain root access.
Analysis reveals that this exploitation trend has persisted for at least three years, with attackers consistently targeting network edge devices to establish footholds within high-value organizations, particularly in critical infrastructure sectors. Such activities highlight a strategic focus on vulnerable entry points that facilitate deeper penetration into networks and systems.
Cisco Talos urges vigilance, particularly in scrutinizing peering events within Cisco Catalyst SD-WAN logs, which are essential for detecting initial unauthorized access attempts through CVE-2026-20127. Given the sophisticated nature of UAT-8616’s actions, organizations may be at risk even if attacks appear superficially normal, thus emphasizing the necessity for a meticulous review of control connection activities.
Defensive Context
Organizations using Cisco Catalyst SD-WAN technology should prioritize an analysis of their environment to identify potential indicators of compromise as outlined in the report. Specifically, those in sectors related to critical infrastructure should be particularly attentive, as they may be disproportionately targeted. Conversely, smaller businesses or those without reliance on Cisco’s SD-WAN solutions may find this threat less relevant.
Why This Matters
The risk presented by UAT-8616 is high, given its targeting of network devices that serve as critical points of access and control. Organizations that utilize Cisco SD-WAN solutions, particularly in sensitive or critical sectors, should take special heed as the vulnerability can lead to significant exploitation potential if left unaddressed.
Defender Considerations
While specific mitigation steps are not delineated, organizations should enforce strict log validation protocols. They must examine control connection events and verify the legitimacy of peering attempts against operational records. Such diligence will help identify unauthorized access attempts, particularly those indicative of exploitation from UAT-8616.
Indicators of Compromise (IOCs)
- CVE-2026-20127
- CVE-2022-20775
- Malicious user account activity
- Log entries indicative of unauthorized SSH key access and interactions
- Anomalies in peering connections such as those from unrecognized IP addresses or abnormal operational timestamps
