Australia’s peak cyber security agency has joined its Five Eyes counterparts to release an emergency directive warning of a critical vulnerability in Cisco SD-WAN systems.
CVE-2026-20127 – disclosed on 25 February – has a perfect 10 CVSS score and is an authentication bypass vulnerability in the peering authentication in the Cisco Catalyst SD-WAN Controller and SD-WAN Manager.
If exploited – and it most certainly appears to have been – this could allow a remote attacker to bypass authentication and obtain administrative privileges.
“A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account,” the vulnerability’s CVE listing said.
“Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”
In its own warning, the Australian Cyber Security Centre (ACSC) noted the global nature of the exploitation.
“Malicious cyber threat actors are targeting SD-WANs of organisations, globally,” the ACSC said.
“These actors exploited a Cisco Catalyst SD-WAN controller authentication bypass vulnerability, CVE-2026-20127. After exploitation of this vulnerability, the malicious actors add a rogue peer, and eventually gain root access to establish long-term persistence in SD-WANs.”
US Cybersecurity and Infrastructure Security Agency (CISA) acting director Dr Madhu Gottumukkala said in CISA’s own advisory that the agency was still working despite an ongoing shutdown.
“CISA remains unwavering in its commitment to protect our federal networks from malicious cyber threat actors despite the multi-week government shutdown of the Department of Homeland Security (DHS),” Gottumukkala said.
“Operational disruptions create strain and uncertainty, give our adversaries unnecessary advantages, and forces our frontline cyber security experts to carry out critical work without pay. Based on collaboration with international partners and CISA’s forensic analysis, the ease with which these vulnerabilities can be exploited demands immediate action from all federal agencies. We urge all entities to implement the measures outlined in this emergency directive without delay.”
Cisco Talos’ own report goes into further detail on the nature of the exploitation.
“Talos clusters this exploitation and subsequent post-compromise activity as ‘UAT-8616’ whom we assess with high confidence is a highly sophisticated cyber threat actor,” Talos said in a blog post.
“After the discovery of active exploitation of the zero-day in the wild, we were able to find evidence that the malicious activity went back at least three years (2023). Investigation conducted by intelligence partners identified that the actor likely escalated to root user via a software version downgrade. The actor then reportedly exploited CVE-2022-20775 before restoring back to the original software version, effectively allowing them to gain root access.”
Douglas McKee, Rapid7’s director of vulnerability intelligence, explained some further details on the threat actor’s likely operations to media outlet Cyberscoop.
“When exploitation dates back to at least 2023 and public discovery happens in late 2025, that multi-year gap suggests highly controlled operations,” McKee said.
According to McKee, while mass exploitation can typically be “noisy”, this stealthier activity is even more alarming.
“Quiet, targeted access against infrastructure devices can persist far longer. Especially if these systems are not directly internet-facing and are instead accessed through trusted internal paths or management networks,” McKee said.
“A detection gap like this points to a sophisticated actor capable of maintaining persistence in high-value network infrastructure without triggering broad alarms.”
CISA and its partners recommend that concerned network defenders immediately inventory affected devices, collect virtual snapshots, patch, hunt for evidence of compromise, and implement all of Cisco’s recommendations.
Ryan Dewhurst, cyber security firm watchTowr’s head of proactive threat intelligence, told Cyber Daily overnight what a typical response may entail.
“Unfortunately, this means that for users of Cisco’s Catalyst SD-WAN Controller, patching will not be enough, regardless of speed – Cisco’s advice to fully rebuild and look for prior signs of intrusion should be taken seriously,” Dewhurst said.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.