Cisco Patches Catalyst SD-WAN Zero-Day Exploited by Highly Sophisticated Hackers

CISA orders federal agencies to patch within 48 hours after sophisticated threat actors exploit authentication bypass flaw.

Cisco has released emergency security updates to address a critical zero-day vulnerability in its Catalyst SD-WAN platform that has been actively exploited by advanced threat actors.

The flaw, tracked as CVE-2026-20127 and rated 10/10 in severity, allows remote, unauthenticated attackers to bypass authentication and gain administrative privileges on affected systems.

Authentication Bypass Enables Administrative Access

According to Cisco, the vulnerability impacts the peering authentication mechanism in:

• Cisco Catalyst SD-WAN Controller
• Cisco Catalyst SD-WAN Manager

By sending specially crafted requests to internet-exposed devices, attackers can log in as an internal, high-privileged (non-root) account without valid credentials.

Once authenticated, threat actors can access the NETCONF interface, enabling them to manipulate network configurations across the SD-WAN fabric. This level of access poses significant risks to enterprise and government network environments.

Patches Released for Multiple Versions

Cisco has issued fixes in the following Catalyst SD-WAN releases:

• 20.12.6.1
• 20.12.5.3
• 20.15.4.2
• 20.18.2.1

The company confirmed that version 20.9.8.2 will also include the patch upon its release.

Cisco acknowledged “limited exploitation” of the vulnerability and published indicators of compromise (IoCs) to help organizations detect malicious activity targeting exposed SD-WAN deployments.

CISA Adds Flaw to KEV Catalog

The US Cybersecurity and Infrastructure Security Agency (Cybersecurity and Infrastructure Security Agency) added CVE-2026-20127 to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday.

CISA also issued Emergency Directive 26-03, mandating that federal civilian agencies patch affected systems within two days.

In addition, the agency included an older Cisco vulnerability, CVE-2022-20775, in the directive. That high-severity path traversal flaw, disclosed in 2022, allows authenticated attackers to execute arbitrary commands with root privileges.

Threat Actors Chained Two Vulnerabilities

According to Cisco Talos and intelligence partners across the Five Eyes alliance, attackers chained the two vulnerabilities to maximize impact.

The campaign has been attributed to a sophisticated threat cluster tracked as UAT-8616, active since at least 2023. Investigators say the group:

1. Exploited CVE-2026-20127 to bypass authentication
2. Created an administrative account on targeted systems
3. Downgraded the software to a version vulnerable to CVE-2022-20775
4. Leveraged the older flaw to gain persistent root-level access

Talos has not publicly linked UAT-8616 to a specific country or known threat group. However, the intelligence unit recently reported that another China-linked cluster, UAT-9686, exploited a separate Cisco zero-day in 2025.

Federal Agencies Ordered to Audit and Patch

Under Emergency Directive 26-03, federal agencies must:

• Inventory all Catalyst SD-WAN assets
• Ensure logs are stored externally
• Collect specified forensic artifacts
• Upgrade to patched software versions immediately

The directive underscores growing concerns about network infrastructure being targeted by highly capable adversaries seeking long-term persistence.

Additional Security Fixes Announced

Alongside the zero-day patch, Cisco also addressed:

• Five vulnerabilities in Catalyst SD-WAN Manager, including a critical API authentication bypass
• Nine additional high- and medium-severity flaws affecting other Cisco products

The company stated it is not aware of active exploitation targeting those additional issues.