Critical Cisco SD‑WAN Zero‑Day Vulnerability Actively Exploited Since 2023

Summary

On February 26, 2026, Cisco disclosed a critical zero‑day vulnerability in its Catalyst SD‑WAN products that has been actively exploited in the wild since at least 2023 by a sophisticated threat actor. The flaw allows unauthenticated attackers to bypass authentication controls and gain administrative access to SD‑WAN controllers.

The vulnerability:
• CVE‑2026‑20127

Exploitation enables attackers to manipulate network configurations and potentially establish long‑term persistence within affected SD‑WAN environments.

Research Source

According to Cisco’s advisory and reports from cybersecurity authorities, this zero‑day affects both Cisco Catalyst SD‑WAN Controller (formerly SD‑WAN vSmart) and Cisco Catalyst SD‑WAN Manager (formerly SD‑WAN vManage). Evidence suggests that a threat cluster tracked as UAT‑8616 has been leveraging the flaw since at least 2023, allowing attackers to add malicious peers and gain persistent access to enterprise SD‑WAN infrastructures.

Advisories from multiple national cybersecurity agencies – including CISA and the Australian Cyber Security Centre – have pushed for immediate patching and comprehensive compromise assessments.

Technical Details

CVE‑2026‑20127 is a critical authentication bypass vulnerability in the SD‑WAN peering mechanism. Due to improper validation in the authentication process, a remote, unauthenticated attacker can send crafted requests to log into the system as a high‑privileged internal user. From there, the attacker can interact with NETCONF to modify network configurations of the SD‑WAN fabric.

The flaw has a CVSS score of 10.0 (Critical) and affects SD‑WAN controllers regardless of configuration. Cisco has released patches, but no effective workarounds exist.

Observed Attack Activity

Security analysts have noted the following behavior associated with this exploitation:
• Unauthorized administrative logins to SD‑WAN controllers.
• Addition of rogue peer connections in the SD‑WAN fabric.
• Manipulation of routing and network configuration.
• Privilege escalation via downgrade and follow‑up exploit chains to achieve full control.

The compromised SD‑WAN infrastructure could serve as a long‑term foothold for further lateral movement or espionage activities.

Impact

Compromise of SD‑WAN controllers can have serious consequences:
• Full administrative access to enterprise WAN infrastructure
• Manipulation of traffic flows and security policies
• Disruption of network services
• Potential pivot into internal networks
• Long‑term persistence and covert control

Because SD‑WAN controllers orchestrate traffic between branches, cloud environments, and edge devices, a malicious actor with control could significantly compromise an organization’s network integrity.

Mitigation

Cisco has released security updates that address CVE‑2026‑20127. Organizations should:
Apply available patches immediately, prioritizing SD‑WAN controllers.
Inventory all SD‑WAN systems and verify their versions against fixed releases.
Review controller logs for unauthorized peering events and unusual authentication attempts.
Hunt for indicators of compromise such as rogue peers and unauthorized accounts.
Implement hardening measures in line with Cisco’s security guidance.

Threat hunting should also consider older vulnerabilities that may have been chained into this exploit.

Early detection of exploitation artifacts could prevent further lateral movement or persistent backdoors.

References:
• Cybersecurity News: https://cybersecuritynews.com/cisco-sd-wan-0-day-vulnerability/