INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Cisco SD-WAN Flaw Exploitation Under Attack
| 2026-03-12 12:45 CRITICAL HIGHExecutive Summary AI-generated
The newly issued emergency directive from the US Cybersecurity and Infrastructure Security Agency (CISA) has warned that attackers are actively exploiting vulnerabilities in Cisco Catalyst SD-WAN infrastructure used across US federal networks. The affected technology is widely used to manage distributed enterprise networks, making successful exploitation a significant threat to key communications infrastructure. CISA director Bobby Kuzma stated that the agency believes these vulnerabilities have been exploited by threat actors to compromise government systems and networks, prompting federal agencies to comply with emergency directives issued by CISA when significant cybersecurity threats are identified. The warning centers on a flaw tracked as CVE-2026-20127, described as a critical authentication bypass vulnerability with a CVSS severity score of 10.
Technical Mitigations AI-generated
* Implement a patch management system to ensure timely application of security updates and minimize downtime.
* Conduct regular vulnerability assessments and penetration testing to identify potential weaknesses in SD-WAN infrastructure.
* Configure devices with external logging capabilities to collect and store logs, making it easier to detect and respond to potential compromises.
* Establish a centralized incident response plan that includes procedures for collecting artifact evidence, submitting reports to CISA, and investigating potential threats.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-20122CVE-2026-20122
CVE-2026-20128CVE-2026-20128
CVE-2026-20127CVE-2026-20127
CVE-2022-20775CVE-2022-20775
Target & Sectors
FIVE_EYES
FIVE_EYES
governmentgovernment
technologytechnology
Incident Timeline
February 25, 2026
CISA issued an Emergency Directive requiring Federal agencies to inventory Cisco SD-WAN systems, collect forensic artifacts and logs, apply security updates, investigate potential compromises tied to the CVE-2026-20127 vulnerability.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20127
On February 25, 2026, CISA issued
Emergency Directive 26-03
requiring Federal Civilian Executive Branch agencies to inventory Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage, apply updates, and investigate potential compromises tied to CVE-2026-20127 and CVE-2022-20775.
vulnerability
CVE-2022-20775
On February 25, 2026, CISA issued
Emergency Directive 26-03
requiring Federal Civilian Executive Branch agencies to inventory Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage, apply updates, and investigate potential compromises tied to CVE-2026-20127 and CVE-2022-20775.
attribution
CVE-2022
On February 25, 2026, CISA issued
Emergency Directive 26-03
requiring Federal Civilian Executive Branch agencies to inventory Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage, apply updates, and investigate potential compromises tied to CVE-2026-20127 and CVE-2022-20775.
general_metric
20775 threat actor
On February 25, 2026, CISA issued
Emergency Directive 26-03
requiring Federal Civilian Executive Branch agencies to inventory Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage, apply updates, and investigate potential compromises tied to CVE-2026-20127 and CVE-2022-20775.
attribution
Federal Civilian Executive Branch
On February 25, 2026, CISA issued
Emergency Directive 26-03
requiring Federal Civilian Executive Branch agencies to inventory Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage, apply updates, and investigate potential compromises tied to CVE-2026-20127 and CVE-2022-20775.
attribution
Cisco SD-WAN
On February 25, 2026, CISA issued
Emergency Directive 26-03
requiring Federal Civilian Executive Branch agencies to inventory Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage, apply updates, and investigate potential compromises tied to CVE-2026-20127 and CVE-2022-20775.
general_metric
26 Emergency Directive
On February 25, 2026, CISA issued
Emergency Directive 26-03
requiring Federal Civilian Executive Branch agencies to inventory Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage, apply updates, and investigate potential compromises tied to CVE-2026-20127 and CVE-2022-20775.
2026-02-25
Threat actors used Cisco's SD-WAN peering authentication mechanism to target the company.
February 25
Cisco released security patches on February 25 for five Catalyst SD-WAN vulnerabilities.
Feb 26, 2026
Threat actors used a known vulnerability in Cisco's SD-WAN software to gain unauthorized access and compromise the company's network.
February 26, 2026
Threat actors used a vulnerability in Cisco's SD-WAN software to gain unauthorized access.
February 27, 2026
Threat actors exploited Cisco SD-WAN vulnerabilities in General Document Context Version 20.9 to target the involved entities by February 27, 2026.
Click on any entity below to view its context and source!
attribution
CISA
CISA said the exploitation poses an imminent threat to federal networks and that devices must be patched by 5:00 PM ET on February 27, 2026.
infrastructure
20.9
Version 20.9 - 20.9.8.2 (Estimated release February 27, 2026)
infrastructure
20.9.8
Version 20.9 - 20.9.8.2 (Estimated release February 27, 2026)
observable
20.9.8.2
Version 20.9 - 20.9.8.2 (Estimated release February 27, 2026)
general_metric
20.9 20.9.8.2
Version 20.9 - 20.9.8.2 (Estimated release February 27, 2026)
March 5, 2026
Threat actors used Cisco's software to target vulnerable products.
March 5
Threat actors used a previously unknown vulnerability in Cisco's SD-WAN software to exploit CVE-2026-20128 and CVE-2026-20122 on March 5.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20128
On March 5, the company updated its advisory to warn that two of them, CVE-2026-20128 and CVE-2026-20122, are already being exploited in the wild.
vulnerability
CVE-2026-20122
On March 5, the company updated its advisory to warn that two of them, CVE-2026-20128 and CVE-2026-20122, are already being exploited in the wild.
2026-02-10T22:51:36+
Threat actors used a known vulnerability in Cisco SD-WAN to exploit the affected system by targeting users with access to sensitive data.
Click on any entity below to view its context and source!
observable
auth.log
The company recommends admins audit
/var/log/auth.log
for entries showing "Accepted publickey for vmanage-admin" from unknown IP addresses:
2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port
organisation
IP
The company recommends admins audit
/var/log/auth.log
for entries showing "Accepted publickey for vmanage-admin" from unknown IP addresses:
2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port
2026-03-12
Threat actors used a newly abused flaw in Cisco Catalyst SD-WAN Manager to target systems.
Click on any entity below to view its context and source!
organisation
NCSC
“UK organisations are strongly advised to report compromises to the NCSC, and to apply vendor updates and hardening guidance as soon as practicable to reduce the risk of exploitation.”
organisation
CVE-2026-20127
CVE-2026-20127 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and SD-WAN Cloud installations.
organisation
Cisco Catalyst SD-WAN Controller
CVE-2026-20127 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and SD-WAN Cloud installations.
“A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account.
organisation
Cisco Catalyst SD-WAN
CVE-2026-20127 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and SD-WAN Cloud installations.
The vulnerability impacts all Cisco Catalyst SD-WAN deployments, regardless of configuration.
The newly abused flaws affect Cisco Catalyst SD-WAN Manager, the platform formerly known as vManage that sits at the center of many organizations' SD-WAN deployments.
organisation
SD-WAN Cloud
CVE-2026-20127 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and SD-WAN Cloud installations.
organisation
Cisco CVE-2026-20127
An attacker could exploit this vulnerability by sending crafted requests to an affected system," reads the
Cisco CVE-2026-20127 advisory
.
organisation
Cisco SD-WAN Zero-Day CVE-2026-20127
Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access.
organisation
Admin Access
Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access.
organisation
CVE-2022-20775
One is CVE-2022-20775, a path traversal flaw affecting the SD-WAN command-line interface that can lead to privilege escalation, and the other is CVE-2026-20127, a maximum-severity authentication issue affecting the Catalyst SD-WAN Controller and Manager platforms.
Admins should also look for unusually small or missing log files, which may indicate log tampering, and for software downgrades and reboots, which may indicate exploitation of CVE-2022-20775 to gain root privileges.
organisation
Catalyst SD-WAN Controller
One is CVE-2022-20775, a path traversal flaw affecting the SD-WAN command-line interface that can lead to privilege escalation, and the other is CVE-2026-20127, a maximum-severity authentication issue affecting the Catalyst SD-WAN Controller and Manager platforms.
Indicators of compromise
Cisco and Talos are urging organizations to carefully review logs on any internet-exposed Catalyst SD-WAN Controller systems for signs of unauthorized peering events and suspicious authentication activity.
The flaw affects Catalyst SD-WAN Controller and Manager and allows remote, unauthenticated attackers to bypass authentication and gain full administrative access by sending a crafted request to vulnerable systems.
organisation
CVSS
The warning centers on a flaw tracked as
CVE-2026-20127
, described as a critical authentication bypass vulnerability with a CVSS severity score of 10.
One of the bugs, CVE-2026-20122, carries a CVSS score of 7.1 and allows an authenticated remote attacker to overwrite arbitrary files on the local filesystem.
organisation
Admins
Admins should also look for unusually small or missing log files, which may indicate log tampering, and for software downgrades and reboots, which may indicate exploitation of CVE-2022-20775 to gain root privileges.
infrastructure
7.8
"
After successfully compromising a public-facing application, the attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting
CVE-2022-20775
(CVSS score: 7.8), a high-severity privilege escalation bug in the CLI of Cisco SD-WAN Software, and then restoring the software back to the version it was originally running.
organisation
CVE-2022
"
After successfully compromising a public-facing application, the attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting
CVE-2022-20775
(CVSS score: 7.8), a high-severity privilege escalation bug in the CLI of Cisco SD-WAN Software, and then restoring the software back to the version it was originally running.
Investigators found the group likely downgraded software to escalate privileges to root, exploited CVE-2022-20775, and then restored the original version to maintain stealthy root access.
organisation
CLI
"
After successfully compromising a public-facing application, the attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting
CVE-2022-20775
(CVSS score: 7.8), a high-severity privilege escalation bug in the CLI of Cisco SD-WAN Software, and then restoring the software back to the version it was originally running.
organisation
Cisco SD-WAN
"
After successfully compromising a public-facing application, the attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting
CVE-2022-20775
(CVSS score: 7.8), a high-severity privilege escalation bug in the CLI of Cisco SD-WAN Software, and then restoring the software back to the version it was originally running.
organisation
Vulnerability / Network Security
Ravie Lakshmanan
Feb 26, 2026
Vulnerability / Network Security
A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of malicious activity that dates back to 2023.
organisation
Catalyst SD-WAN
Ravie Lakshmanan
Feb 26, 2026
Vulnerability / Network Security
A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of malicious activity that dates back to 2023.
Cisco flags ongoing exploitation of two recently patched Catalyst SD-WAN flaws.
organisation
IP
The company has also recommended customers to audit the "/var/log/auth.log" file for entries related to "Accepted publickey for vmanage-admin" from unknown or unauthorized IP addresses.
organisation
the Cisco Catalyst SD-WAN
It's also advised to check the IP addresses in the auth.log log file against the configured System IPs that are listed in the Cisco Catalyst SD-WAN Manager web UI (WebUI > Devices > System IP).
organisation
UI
It's also advised to check the IP addresses in the auth.log log file against the configured System IPs that are listed in the Cisco Catalyst SD-WAN Manager web UI (WebUI > Devices > System IP).
organisation
the Australian Signals Directorate's
Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) for reporting the vulnerability.
The shortcoming affects the following deployment types, irrespective of the device configuration -
On-Prem Deployment
Cisco Hosted SD-WAN Cloud
Cisco Hosted SD-WAN Cloud - Cisco Managed
Cisco Hosted SD-WAN Cloud - FedRAMP Environment
Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability.
organisation
Australian Cyber Security Centre
Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) for reporting the vulnerability.
The shortcoming affects the following deployment types, irrespective of the device configuration -
On-Prem Deployment
Cisco Hosted SD-WAN Cloud
Cisco Hosted SD-WAN Cloud - Cisco Managed
Cisco Hosted SD-WAN Cloud - FedRAMP Environment
Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability.
organisation
ASD
Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) for reporting the vulnerability.
According to information released by the ASD-ACSC, UAT-8616 is said to have compromised Cisco SD-WANs since 2023 via the zero-day exploit, allowing it to gain elevated access.
organisation
Cisco Hosted SD-WAN Cloud - Cisco Managed
The shortcoming affects the following deployment types, irrespective of the device configuration -
On-Prem Deployment
Cisco Hosted SD-WAN Cloud
Cisco Hosted SD-WAN Cloud - Cisco Managed
Cisco Hosted SD-WAN Cloud - FedRAMP Environment
Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability.
organisation
Cisco Hosted SD-WAN Cloud - FedRAMP Environment
The shortcoming affects the following deployment types, irrespective of the device configuration -
On-Prem Deployment
Cisco Hosted SD-WAN Cloud
Cisco Hosted SD-WAN Cloud - Cisco Managed
Cisco Hosted SD-WAN Cloud - FedRAMP Environment
Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability.
organisation
Cisco
The shortcoming affects the following deployment types, irrespective of the device configuration -
On-Prem Deployment
Cisco Hosted SD-WAN Cloud
Cisco Hosted SD-WAN Cloud - Cisco Managed
Cisco Hosted SD-WAN Cloud - FedRAMP Environment
Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability.
“Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an attacker to access an affected system, elevate privileges to
root,
gain access to sensitive information, and overwrite arbitrary files.” reads the
advisory
published by CISCO.
Affected environments include:
On-Prem deployments
Cisco Hosted SD-WAN Cloud
Cisco Hosted SD-WAN Cloud – Cisco Managed
Cisco Hosted SD-WAN Cloud – FedRAMP
Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) for reporting the issue and is tracking related exploitation under the name UAT-8616, describing the actor as highly sophisticated.
Cisco said only that the two freshly disclosed vulnerabilities are currently being exploited, without providing indicators of compromise, attack details, or attribution.
organisation
Cisco SD-WANs
According to information released by the ASD-ACSC, UAT-8616 is said to have compromised Cisco SD-WANs since 2023 via the zero-day exploit, allowing it to gain elevated access.
organisation
NETCONF
Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
"This vulnerability exists because the peering authentication mechanism in an affected system is not working properly," Cisco
said
in an advisory, adding the threat actor could leverage the non-root user account to access NETCONF and manipulate network configuration for the SD-WAN fabric.
Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”
organisation
SD-WAN
Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
"This vulnerability exists because the peering authentication mechanism in an affected system is not working properly," Cisco
said
in an advisory, adding the threat actor could leverage the non-root user account to access NETCONF and manipulate network configuration for the SD-WAN fabric.
The flaw CVE-2026-20128 exposes the Data Collection Agent feature, letting a local authenticated attacker gain DCA privileges, while the vulnerability CVE-2026-20122 allows a remote authenticated attacker to overwrite arbitrary files through the SD-WAN Manager API and escalate privileges.
Cisco warns of two more SD-WAN bugs under active attack.
Security officials say the bug could allow an unauthenticated attacker to obtain administrative access to SD-WAN infrastructure.
organisation
Data Collection
The flaw CVE-2026-20128 exposes the Data Collection Agent feature, letting a local authenticated attacker gain DCA privileges, while the vulnerability CVE-2026-20122 allows a remote authenticated attacker to overwrite arbitrary files through the SD-WAN Manager API and escalate privileges.
The second issue, CVE-2026-20128, is a lower-rated information disclosure flaw with a CVSS score of 5.5 that could allow an authenticated local attacker to gain Data Collection Agent (DCA) user privileges on an affected system.
organisation
DCA
The flaw CVE-2026-20128 exposes the Data Collection Agent feature, letting a local authenticated attacker gain DCA privileges, while the vulnerability CVE-2026-20122 allows a remote authenticated attacker to overwrite arbitrary files through the SD-WAN Manager API and escalate privileges.
The second issue, CVE-2026-20128, is a lower-rated information disclosure flaw with a CVSS score of 5.5 that could allow an authenticated local attacker to gain Data Collection Agent (DCA) user privileges on an affected system.
organisation
BleepingComputer
“Our new alert makes clear that organisations using Cisco Catalyst SD-WAN products should urgently investigate their exposure to network compromise and hunt for malicious activity, making use of the new threat hunting advice produced with our international partners to identify evidence of compromise," said Ollie Whitehouse, NCSC CTO, in a statement shared with BleepingComputer.
organisation
KEY
ssh2: RSA SHA256:[REDACTED KEY]
Administrators should compare those IP addresses against the configured System IPs listed in the SD-WAN Manager interface and against known management or controller infrastructure.
organisation
Modern
Modern IT infrastructure moves faster than manual workflows can handle.
organisation
Tines
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
infrastructure
20.91
"
The vulnerability has been addressed in the following versions of Cisco Catalyst SD-WAN -
Prior to version 20.91 - Migrate to a fixed release.
organisation
Cisco Catalyst SD-WAN -
Prior
"
The vulnerability has been addressed in the following versions of Cisco Catalyst SD-WAN -
Prior to version 20.91 - Migrate to a fixed release.
infrastructure
20.9.8
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1.
infrastructure
20.12.6
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1.
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
infrastructure
20.12.5
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1.
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
infrastructure
20.15.4
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1.
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
infrastructure
20.18.2
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1.
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
infrastructure
20.111
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
infrastructure
20.131
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
infrastructure
20.141
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
infrastructure
20.15
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
infrastructure
20.161
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
infrastructure
20.18
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
organisation
SD-WAN vManage
“Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an attacker to access an affected system, elevate privileges to
root,
gain access to sensitive information, and overwrite arbitrary files.” reads the
advisory
published by CISCO.
organisation
Cisco Hosted SD-WAN Cloud
Affected environments include:
On-Prem deployments
Cisco Hosted SD-WAN Cloud
Cisco Hosted SD-WAN Cloud – Cisco Managed
Cisco Hosted SD-WAN Cloud – FedRAMP
Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) for reporting the issue and is tracking related exploitation under the name UAT-8616, describing the actor as highly sophisticated.
organisation
the Australian Signals Directorate’s
Affected environments include:
On-Prem deployments
Cisco Hosted SD-WAN Cloud
Cisco Hosted SD-WAN Cloud – Cisco Managed
Cisco Hosted SD-WAN Cloud – FedRAMP
Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) for reporting the issue and is tracking related exploitation under the name UAT-8616, describing the actor as highly sophisticated.
organisation
SSH
Added a Secure Shell Protocol (SSH) authorized key for root access and modified SD-WAN-related start-up scripts to customize the environment.
organisation
Used Network Configuration Protocol
Used Network Configuration Protocol on port 830 (NETCONF) and SSH to connect to/between Cisco SD-WAN appliances within the management plane.
organisation
Critical Infrastructure
"UAT-8616's attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high-value organizations, including Critical Infrastructure (CI) sectors," Talos said.
organisation
CI
"UAT-8616's attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high-value organizations, including Critical Infrastructure (CI) sectors," Talos said.
infrastructure
20.9.1
Customers running versions prior to 20.9.1 are advised to migrate to a patched release.
organisation
SecurityAffairs
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, Cisco)
organisation
National Cyber Security Centre
At the time, Britain's National Cyber Security Centre said miscreants were compromising SD-WAN deployments used by organizations worldwide.
March 23, 2026
Threat actors exploited Cisco SD-WAN vulnerabilities to compromise government systems and networks.
Click on any entity below to view its context and source!
organisation
Cisco SD-WAN
“While contractors and civilian organizations are not required or requested to follow similar collection steps, if you have Cisco SD-WAN appliances in your environment, this is a good time to collect artifacts and review patch statuses and logs,” Kuzma added.
organisation
Kuzma
“While contractors and civilian organizations are not required or requested to follow similar collection steps, if you have Cisco SD-WAN appliances in your environment, this is a good time to collect artifacts and review patch statuses and logs,” Kuzma added.
organisation
Shutterstock.com
Image credit: PJ McDonnell / Shutterstock.com
March 2026
Threat actors have already exploited the vulnerabilities described in CVE-2026-20128 and CVE-2026-20122.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20128
“In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only.”
In
an advisory published this week
, Cisco confirmed that attackers are already abusing the flaws: "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only.
vulnerability
CVE-2026-20122
“In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only.”
In
an advisory published this week
, Cisco confirmed that attackers are already abusing the flaws: "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only.
organisation
CVE-2026
“In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only.”
In
an advisory published this week
, Cisco confirmed that attackers are already abusing the flaws: "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only.
March 26, 2026
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to affected organizations due to newly discovered vulnerabilities in Cisco's SD-WAN products.
Tactical Metrics
Metrics
infrastructure
7.8
Software Version
Click for context!
"
After successfully compromising a public-facing application, the attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting
CVE-2022-20775
(CVSS score: 7.8), a high-severity privilege escalation bug in the CLI of Cisco SD-WAN Software, and then restoring the software back to the version it was originally running.
Metrics
infrastructure
20.91
Software Version
"
The vulnerability has been addressed in the following versions of Cisco Catalyst SD-WAN -
Prior to version 20.91 - Migrate to a fixed release.
Metrics
infrastructure
20.9
Software Version
Version 20.9 - 20.9.8.2 (Estimated release February 27, 2026)
Metrics
infrastructure
20.9.8
Software Version
Version 20.9 - 20.9.8.2 (Estimated release February 27, 2026)
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1.
Metrics
infrastructure
20.111
Software Version
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
Metrics
infrastructure
20.12.6
Software Version
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1.
Metrics
infrastructure
20.12.5
Software Version
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1.
Metrics
infrastructure
20.131
Software Version
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
Metrics
infrastructure
20.15.4
Software Version
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1.
Metrics
infrastructure
20.141
Software Version
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
Metrics
infrastructure
20.15
Software Version
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
Metrics
infrastructure
20.161
Software Version
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
Metrics
infrastructure
20.18.2
Software Version
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1.
Metrics
infrastructure
20.18
Software Version
Version 20.111 - 20.12.6.1
Version 20.12.5 - 20.12.5.3
Version 20.12.6 - 20.12.6.1
Version 20.131 - 20.15.4.2
Version 20.141 - 20.15.4.2
Version 20.15 - 20.15.4.2
Version 20.161 - 20.18.2.1
Version 20.18 - 20.18.2.1
"Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise," Cisco warned.
Metrics
infrastructure
20.9.1
Software Version
Customers running versions prior to 20.9.1 are advised to migrate to a patched release.
Intelligence Sources
BleepingComputer
2026-02-25
Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023
BleepingComputer
The Hacker News
2026-02-26
Security Affairs
2026-03-06
The Register - Cybercrime
2026-03-06
Cisco warns of two more SD-WAN bugs under active attack
The Register - Cybercrime
Infosecurity-Magazine
2026-03-12
CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws
Infosecurity-Magazine
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T10:41
Comprehensive Tactical Telemetry
Highly Correlated Entities
49x
organisation
Identified Entity
NCSC
entity
16x
timeline
Temporal Reference
February 25, 2026
date
15x
attribution
Attributing Entity
National Cyber Security Centre
authority
15x
infrastructure
Software Version
7.8
version
4x
vulnerability
Exploited CVE
CVE-2026-20127
cve
3x
general metric
20.15.4.2
20
20.15.4.2
3x
vulnerability
CVSS Score
10
score
2x
source region
Origin Country
United Kingdom
country
2x
industry
Targeted Sector
Government
sector
2x
tactic
MITRE ATT&CK Technique
T1592.002 - Software
technique
2x
general metric
20.18.2.1
20
20.18.2.1
Contextual Telemetry
Context Block
10 METRICS
target region
Target Country
United Kingdom
country
general metric
Threat Actor
20,775
threat actor
general metric
Emergency Directive
26
emergency directive
tactic
Cyber Operation Type
Privilege Escalation
tactic
general metric
Score
8
score
general metric
Migrate
21
migrate
general metric
20.9.8.2
21
20.9.8.2
general metric
20.12.6.1
20
20.12.6.1
general metric
Next Hours
24
next hours
target region
Target Region
FIVE_EYES
region
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.