Cisco SD-WAN Zero-Day Exploit Targets Network Edge Devices Worldwide

A critical Cisco security vulnerability has been actively exploited, putting numerous enterprises at risk. The vulnerability, identified as CVE-2026-20127, has the highest severity level, with a CVSS score of 10.0. It affects the Cisco Catalyst SD-WAN Controller (the central system that governs and controls communication between SD-WAN devices) and SD-WAN Manager systems (the web-based platform used to configure, monitor, and manage the whole SD-WAN network), both of which are commonly used to manage enterprise networks.

According to Cisco, this SD-WAN zero-day vulnerability enables an attacker to avoid authentication and acquire administrator access without using login credentials. To put it simply, a hacker can make a carefully constructed request and get access to the system as a high-privileged user. Once inside, they can modify network settings, access sensitive data, and even manage certain aspects of the SD-WAN infrastructure.

The flaw impacts multiple deployment types, including On-Prem deployments, Cisco Hosted SD-WAN Cloud, Cisco Hosted SD-WAN Cloud – Cisco Managed, and the FedRAMP environment. Cisco has confirmed that systems exposed to the internet with open ports are especially vulnerable to compromise. Several software versions are affected. Devices running versions prior to 20.9.1 must migrate to a fixed release.

Security agencies revealed that attackers have been exploiting this Cisco SD-WAN zero-day vulnerability since 2023. The threat group, identified as UAT-8616, created rogue network devices, escalated privileges, and removed logs to hide their activity. They also combined this flaw with another older vulnerability (CVE-2022-20775) to gain root access. Even more alarming, they reduced the software version, exploited an older vulnerability, and then returned the machine to its former state to conceal the attack. They also created fake user identities, installed SSH keys for remote access, and deleted system logs to eliminate evidence.

Cisco has published security upgrades to address the vulnerability, and users are strongly advised to upgrade immediately. Systems connected to the internet are especially vulnerable. The business also recommends reviewing system logs for unusual login activities and IP addresses.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its list of known exploited vulnerabilities. Federal agencies have been directed to patch affected Cisco SD-WAN devices within 24 hours and examine systems for signs of compromise. This incident demonstrates the growing threat to network edge devices and organizational cybersecurity. To prevent future cyberattacks, organizations adopting Cisco SD-WAN must install upgrades, monitor logs, and increase their security posture.

This article is based on information from The Hacker News