INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Cisco SD-WAN Vulnerability Exploitation
| 2026-02-26 11:34 CRITICAL HIGHExecutive Summary AI-generated
The situation is dire. A critical vulnerability in Cisco Catalyst SD-WAN, identified as CVE-2026-20127, has been exploited in active cyberattacks zero-day that compromise controllers, insert devices into the network and escalate privileges to root access. The vulnerability affects both on-premise and cloud-based implementations of these products. The exploitation was likely achieved by degrading firmware to an earlier vulnerable version, exploiting CVE-2022-20775, and restoring it afterwards. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive requiring federal agencies to inventory all Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage is in place for logs, apply security updates, and analyze possible compromises related to CVE-2026-20127 and CVE-2022-20775. The presence of malicious entries in /var/log/auth.log indicates the vulnerability has been exploited. This situation poses a significant threat to organizations relying on Cisco SD-WAN products due to its critical nature and potential for widespread exploitation.
Technical Mitigations AI-generated
* Implement secure autenticación: Ensure that the peering mechanism is properly secured by implementing a strong authentication protocol, such as mutual TLS or IPsec, and regularly update the system to prevent exploitation of known vulnerabilities.
* Keep software up-to-date: Regularly apply security patches and updates for Cisco Catalyst SD-WAN controllers to ensure you have the latest fixes for CVE-2026-20127 and CVE-2022-20775. This will help prevent exploitation by attackers who may exploit known vulnerabilities in older versions of the software.
* Monitor logs and network traffic: Continuously monitor system logs, network traffic, and other relevant data streams to detect any suspicious activity that could indicate a potential attack on your Cisco SD-WAN infrastructure.
* Implement access controls and segregation of duties (SoD): Ensure that users with elevated privileges have only necessary access to the system and can be separated from each other to prevent lateral movement in case of an incident. This includes implementing fine-grained access control, limiting user roles, and enforcing strict separation of duties between administrators.
* Use a secure configuration management tool: Utilize a configuration management tool that supports secure configuration management practices, such as Ansible or Puppet, which can help ensure that your Cisco SD-WAN infrastructure is properly configured with the latest security patches and updates.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2022-20775CVE-2022-20775
CVE-2026-20127CVE-2026-20127
Target & Sectors
LA
technologytechnology
Incident Timeline
February 25, 2026
Threat actors exploited vulnerabilities affecting Cisco software-defined wide-area network (SD-WAN) systems.
Click on any entity below to view its context and source!
source_region
United Kingdom
On February 25, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and UK National Cyber Security Centre
warned
that vulnerabilities affecting Cisco software-defined wide-area network (SD-WAN) systems (
CVE-2026-20127
and
CVE-2022-20775
) are actively being exploited.
vulnerability
CVE-2026-20127
On February 25, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and UK National Cyber Security Centre
warned
that vulnerabilities affecting Cisco software-defined wide-area network (SD-WAN) systems (
CVE-2026-20127
and
CVE-2022-20775
) are actively being exploited.
vulnerability
CVE-2022-20775
On February 25, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and UK National Cyber Security Centre
warned
that vulnerabilities affecting Cisco software-defined wide-area network (SD-WAN) systems (
CVE-2026-20127
and
CVE-2022-20775
) are actively being exploited.
attribution
National Cyber Security Centre
On February 25, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and UK National Cyber Security Centre
warned
that vulnerabilities affecting Cisco software-defined wide-area network (SD-WAN) systems (
CVE-2026-20127
and
CVE-2022-20775
) are actively being exploited.
attribution
SD-WAN
On February 25, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and UK National Cyber Security Centre
warned
that vulnerabilities affecting Cisco software-defined wide-area network (SD-WAN) systems (
CVE-2026-20127
and
CVE-2022-20775
) are actively being exploited.
2026-02-26
Un actor malicioso explotó una vulnerabilidad crítica en Cisco Catalyst SD-WAN, lo que permitió a un atacante comprometer controladores y insertar dispositivos maliciosos en la red.
Click on any entity below to view its context and source!
organisation
Cisco SD-WAN
Cisco SD-WAN vulnerabilities (CVE-2026-20127, CVE-2022-20775) in active exploitation.
organisation
CVE-2022
Cisco SD-WAN vulnerabilities (CVE-2026-20127, CVE-2022-20775) in active exploitation.
The actor then reportedly exploited
CVE-2022-20775
before restoring back to the original software version, effectively allowing them to gain root access.
Los socios de inteligencia de la compañía señalan que el actor probablemente consiguió acceso root degradando el firmware a una versión anterior vulnerable, explotando
CVE-2022-20775
y restaurando posteriormente la versión original.
organisation
vSmart
Cisco Talos is tracking the active exploitation of
CVE-2026-20127
, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected system by sending a crafted request to an affected system.
organisation
Initial Peering Event Analysis
Initial Peering Event Analysis
The initial and most critical activity to look for is any control connection peering event identified in Cisco Catalyst SD-WAN logs, as this may indicate an attempt at initial access via CVE-2026-20127.
organisation
Cisco Catalyst SD-WAN
Una vulnerabilidad crítica en
Cisco Catalyst SD-WAN
, identificada como
CVE-2026-20127
, está siendo explotada activamente en ciberataques zero-day que permiten a actores remotos comprometer controladores, insertar dispositivos maliciosos en la red y escalar privilegios hasta obtener acceso root.
Active exploitation of Cisco Catalyst SD-WAN by UAT-8616.
organisation
CVSS
Con una puntuación máxima de
10.0 en la escala CVSS
, CVE-2026-20127 afecta a
Cisco Catalyst SD-WAN Controller
(anteriormente vSmart) y
Cisco Catalyst SD-WAN Manager
(antes vManage), tanto en implementaciones on-premise como en entornos SD-WAN Cloud.
organisation
CVE-2026
Con una puntuación máxima de
10.0 en la escala CVSS
, CVE-2026-20127 afecta a
Cisco Catalyst SD-WAN Controller
(anteriormente vSmart) y
Cisco Catalyst SD-WAN Manager
(antes vManage), tanto en implementaciones on-premise como en entornos SD-WAN Cloud.
organisation
SD-WAN Cloud
Con una puntuación máxima de
10.0 en la escala CVSS
, CVE-2026-20127 afecta a
Cisco Catalyst SD-WAN Controller
(anteriormente vSmart) y
Cisco Catalyst SD-WAN Manager
(antes vManage), tanto en implementaciones on-premise como en entornos SD-WAN Cloud.
organisation
Los socios de inteligencia de la compañía
Los socios de inteligencia de la compañía señalan que el actor probablemente consiguió acceso root degradando el firmware a una versión anterior vulnerable, explotando
CVE-2022-20775
y restaurando posteriormente la versión original.
organisation
el actor
Los socios de inteligencia de la compañía señalan que el actor probablemente consiguió acceso root degradando el firmware a una versión anterior vulnerable, explotando
CVE-2022-20775
y restaurando posteriormente la versión original.
organisation
Las degradaciones de software
Las degradaciones de software y reinicios no programados pueden señalar la explotación de CVE-2022-20775.
organisation
SD-WAN
It poses a significant security risk due to the central role that SD-WAN technologies play in distributed network environments.
Additional Investigative Guidance
The following may be high-fidelity indicators of a successful compromise by UAT-8616 in an SD-WAN infrastructure setup:
Creation, usage and deletion of malicious user accounts including otherwise absent bash_history and cli-history.
Cisco alerta de una vulnerabilidad crítica en SD-WAN explotada en ciberataques reales.
organisation
Additional Investigative Guidance
Additional Investigative Guidance
The following may be high-fidelity indicators of a successful compromise by UAT-8616 in an SD-WAN infrastructure setup:
Creation, usage and deletion of malicious user accounts including otherwise absent bash_history and cli-history.
organisation
Counter Threat Unit
Recommended actions
Counter Threat Unit™ (CTU) researchers recommend that all organizations identify vulnerable SD-WAN systems in their environments and apply
mitigations
outlined in the Cisco Talos advisory as appropriate.
organisation
SophosLabs
Sophos protections
SophosLabs has developed the following IPS rules to detect activity associated with these threats:
65938 - SERVER-OTHER TRUFFLEHUNTER SFVRT-1058 attack attempt
65958 - SERVER-OTHER TRUFFLEHUNTER SFVRT-1058 attack attempt
organisation
IPS
Sophos protections
SophosLabs has developed the following IPS rules to detect activity associated with these threats:
65938 - SERVER-OTHER TRUFFLEHUNTER SFVRT-1058 attack attempt
65958 - SERVER-OTHER TRUFFLEHUNTER SFVRT-1058 attack attempt
organisation
the Cisco Catalyst SD-WAN
It is strongly recommended that any customers who are utilizing the Cisco Catalyst SD-WAN technology follow the guidance provided in this hardening guide.
infrastructure
Windows
Validation Checklist Items Include
Verify the timestamp of each peering event against known maintenance windows, scheduled configuration changes, and normal operational hours for your environment.
organisation
Controller
Successful exploitation may allow the attacker to gain administrative privileges on the Controller as an internal, high privileged, non-root, user account.
organisation
Critical Infrastructure
UAT-8616's attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high value organizations including Critical Infrastructure (CI) sectors.
organisation
CI
UAT-8616's attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high value organizations including Critical Infrastructure (CI) sectors.
organisation
TAC
Customers support is also available by initiating a
TAC request
.
organisation
IP
Threat actors who compromise Cisco Catalyst SD-WAN infrastructure often establish unauthorized peer connections that may appear superficially normal but occur at unexpected times, originate from unrecognized IP addresses, or involve device types inconsistent with the environment's architecture.
Un indicador clave es la presencia en
/var/log/auth.log
de entradas como:
Accepted publickey for vmanage-admin from [IP desconocida]
Las direcciones IP deben compararse con las System IP configuradas en el SD-WAN Manager y con
organisation
Un
Un indicador clave es la presencia en
/var/log/auth.log
de entradas como:
Accepted publickey for vmanage-admin from [IP desconocida]
Las direcciones IP deben compararse con las System IP configuradas en el SD-WAN Manager y con
Talos bajo la denominación
UAT-8616
, atribuida con alta confianza a un actor altamente sofisticado.
organisation
el SD-WAN
Un indicador clave es la presencia en
/var/log/auth.log
de entradas como:
Accepted publickey for vmanage-admin from [IP desconocida]
Las direcciones IP deben compararse con las System IP configuradas en el SD-WAN Manager y con
organisation
Validate
Validate the peer system IP matches documented device assignments within your Cisco Catalyst SD-WAN topology.
organisation
SSH
Interactive root sessions on production systems including unaccounted SSH keys, known hosts and bash history.
Otros indicadores incluyen creación y eliminación sospechosa de cuentas, inicios de sesión root inesperados, claves SSH
organisation
sospechosa de cuentas
Otros indicadores incluyen creación y eliminación sospechosa de cuentas, inicios de sesión root inesperados, claves SSH
organisation
byte
For example:
Notification: system-login-change severity-level:minor host-name:"<node_name>" system-ip:<IP> user-name:""root""
SSH Keys in: /home/root/.ssh/authorized_keys with “PermitRootLogin” set to “yes” in /etc/ssh/sshd_config
Known hosts in: /home/root/.ssh/known_hosts
Unauthorized or unaccounted SSH keys (“authorized_keys”) for the “vmanage-admin” account: /home/vmanage-admin/.ssh/authorized_keys/
Abnormally small logs including absent or size 0/1/2 byte logs.
organisation
Snort
Talos Coverage
Talos is releasing the following Snort coverage for this threat and associated vulnerability:
organisation
Estados Unidos
La alerta,
publicada
por
Cisco
, ha activado directivas de emergencia en Estados Unidos y advertencias coordinadas con Reino Unido ante el riesgo
organisation
el riesgo
La alerta,
publicada
por
Cisco
, ha activado directivas de emergencia en Estados Unidos y advertencias coordinadas con Reino Unido ante el riesgo
organisation
Australian Cyber Security Centre
Australian Cyber Security Centre (ACSC), dependiente del Australian Signals Directorate, y su explotación ha sido rastreada por
organisation
del Australian Signals Directorate
Australian Cyber Security Centre (ACSC), dependiente del Australian Signals Directorate, y su explotación ha sido rastreada por
organisation
el mecanismo de peering
Fallo de autenticación en el mecanismo de peering
El origen del problema reside en un mecanismo defectuoso de autenticación de peering.
organisation
defectuoso de autenticación de peering
Fallo de autenticación en el mecanismo de peering
El origen del problema reside en un mecanismo defectuoso de autenticación de peering.
organisation
el sistema de autenticación
Según el aviso oficial, el sistema de autenticación entre dispositivos SD-WAN “no funciona correctamente”, lo que permite a un atacante enviar solicitudes manipuladas al controlador afectado.
organisation
el controlador SD-WAN
la explotación tiene éxito, el atacante puede autenticarse como un usuario interno de alto privilegio —aunque no root inicialmente— en el controlador SD-WAN.
organisation
el impacto es
En términos prácticos, el impacto es crítico: un atacante puede insertar un
rogue peer
, es decir, un dispositivo malicioso que aparenta ser legítimo dentro del entorno SD-WAN.
organisation
Escalada
Escalada a root y evasión forense
La gravedad aumenta al conocerse que los ataques no se limitan a la autenticación inicial.
organisation
al conocerse que los ataques
Escalada a root y evasión forense
La gravedad aumenta al conocerse que los ataques no se limitan a la autenticación inicial.
organisation
desde el punto de vista
Este patrón es especialmente preocupante desde el punto de vista forense:
organisation
el atacante consigue privilegios root mientras
al volver a instalar el firmware original tras la explotación, el atacante consigue privilegios root mientras reduce la probabilidad de detección.
organisation
Indicadores de
Indicadores de compromiso: qué deben revisar los equipos SOC
Cisco y
organisation
SOC
Indicadores de compromiso: qué deben revisar los equipos SOC
Cisco y
organisation
los registros de cualquier
Talos recomiendan revisar exhaustivamente los registros de cualquier controlador SD-WAN expuesto a Internet.
organisation
Cisco TAC
Si una IP no autorizada logró autenticarse, el sistema debe considerarse comprometido y abrirse un caso con Cisco TAC.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
Validation Checklist Items Include
Verify the timestamp of each peering event against known maintenance windows, scheduled configuration changes, and normal operational hours for your environment.
Intelligence Sources
Sophos News
2026-02-26
Talos Intelligence
2026-02-25
Active exploitation of Cisco Catalyst SD-WAN by UAT-8616
Talos Intelligence
Bit Life Media
2026-02-26
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T07:27
Comprehensive Tactical Telemetry
Highly Correlated Entities
46x
organisation
Identified Entity
Cisco SD-WAN
entity
13x
attribution
Attributing Entity
the U.S. Cybersecurity and Infrastructure Security Agency
authority
5x
timeline
Temporal Reference
February 25, 2026
date
2x
source region
Origin Country
United Kingdom
country
2x
vulnerability
Exploited CVE
CVE-2026-20127
cve
2x
general metric
Other Attack Attempt
65,938
other attack attempt
2x
general metric
El
25
el
Contextual Telemetry
Context Block
9 METRICS
industry
Targeted Sector
Technology
sector
tactic
Cyber Operation Type
Reconnaissance
tactic
general metric
Cve-2022
20,775
cve-2022
infrastructure
Affected Product
Windows
software
general metric
Entry Feb
20
entry feb
general metric
Ntce-1000001
5
ntce-1000001
tactic
MITRE ATT&CK Technique
T1592.002 - Software
technique
target region
Target Country
Lao People's Democratic Republic
country
general metric
Febrero
2,026
febrero
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.