Cisco has issued an alert about a critical authentication bypass vulnerability affecting its Catalyst SD WAN platform after confirmed exploitation allowed attackers to access network controllers and introduce unauthorized devices into enterprise environments. The Cisco SD-WAN vulnerability, tracked as CVE 2026 20127, carries a severity score of 10.0 and impacts both Catalyst SD WAN Controller and Catalyst SD WAN Manager deployments across on-premises and cloud-based installations.
The vulnerability exists due to a failure in the system peering authentication process. Attackers can send specially crafted requests to affected controllers and gain access as a privileged internal user. Once authenticated, the attacker can reach management interfaces and modify network configurations across the SD WAN fabric.
Active Exploitation Allows Unauthorized Network Access
Cisco confirmed that threat actors actively exploited the Cisco SD-WAN vulnerability in real world attacks. Security researchers observed attackers adding rogue peers into targeted SD WAN environments. These unauthorized systems appeared legitimate within the network and established encrypted communication channels controlled by the attacker.
Catalyst SD WAN connects branch offices, data centers, and cloud systems through centralized controllers that manage traffic routing. By inserting a rogue peer, attackers can advertise malicious network routes and move deeper into organizational infrastructure. This access may allow monitoring of traffic flows or further system compromise.
Cisco Talos tracked the activity under a threat cluster identified as UAT 8616. Telemetry data indicates exploitation activity may date back to 2023. Intelligence findings suggest attackers downgraded software versions to exploit an earlier vulnerability, CVE 2022 20775, which enabled escalation to root level access.
After gaining elevated privileges, attackers reportedly restored systems to their original software versions. This method allowed continued privileged access while reducing visible signs of intrusion within system logs.
Security Guidance And Detection Measures Released
Cybersecurity agencies released coordinated guidance after confirming ongoing exploitation attempts targeting SD WAN deployments worldwide. Administrators are advised to review authentication logs and monitor for unexpected peering activity across controller systems linked to the Cisco SD-WAN vulnerability.
Security teams should examine authentication records for unknown login attempts involving administrative accounts. Entries showing successful key based access from unfamiliar network addresses may indicate compromise. Administrators should compare detected addresses with approved system IP listings within management interfaces.
Additional warning signs include unexpected creation or deletion of user accounts, unauthorized secure shell keys, unexplained root level logins, and configuration changes enabling elevated access permissions. Missing or unusually small log files may also signal attempts to erase forensic evidence.
Experts also recommend reviewing system debug and synchronization logs to detect software downgrade events or abnormal reboot activity linked to privilege escalation attempts. Organizations detecting suspicious behavior are advised to treat affected systems as compromised environments.
To strengthen defenses, administrators should restrict exposure of SD WAN management interfaces and ensure controllers remain protected behind secured network boundaries. External log storage is recommended to preserve forensic data and prevent tampering during incident response investigations.
Cisco has released software updates that address the Cisco SD-WAN vulnerability and stated that upgrading to fixed software versions remains the only complete remediation method. Security teams are encouraged to apply updates immediately and continue monitoring controller activity for unusual authentication or configuration changes.
Visit CyberPro Magazine to read more.
