- Cisco Catalyst SD-WAN zero-day (CVE-2026-20127) operating since 2023
- A flaw allowed attackers to add malicious peers and manipulate network configurations.
- CISA added a bug to the KEV catalog, ordering urgent fixes; linked to the UAT-8616 threat group
“Highly sophisticated” threat actors have allegedly exploited a zero-day vulnerability in Cisco Catalyst SD-WAN for more than two years, the company has revealed.
Cisco’s cybersecurity arm, Talos, has released a new report saying it observed a critical authentication vulnerability actively exploited by crooks who used it to compromise controllers and add malicious peers to target networks.
The vulnerability is now tracked as CVE-2026-20127 and carries a maximum severity score – 10/10 (critical).
CISA adds it to KEV
The National Vulnerability Database (NVD) says the bug exists “because the peering authentication mechanism in an affected system is not functioning properly,” allowing malicious actors to send specially crafted requests to exploit it.
“A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN controller as a non-root internal user account with elevated privileges. Using this account, the attacker could gain access to NETCONF, which would then allow the attacker to manipulate the network configuration of the SD-WAN fabric,” he explained.
The Talos report claims that it was abused by a group tracked under the name UAT-8616, dating back to at least 2023. The attacks apparently began by downgrading the SD-WAN solution to an older, vulnerable version and then using it to gain root access. After their intrusion, the crooks restored the original version of the firmware to cover their tracks.
The US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its KEV catalog on Wednesday, confirming reports of abuse in the wild and giving Federal Civilian Executive Branch (FCEB) agencies just two days to fix or stop using the product altogether. Usually, CISA gives FCEB agencies three weeks to respond, but in this case the bug was said to pose a major threat.
UAT-8616 appears to be a newly named threat group, as there are no separate public records indicating this actor is linked to previous separate attacks under the same name.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
