Cisco Talos disclosed that a sophisticated threat actor exploited a critical authentication bypass in Cisco Catalyst SD-WAN for at least three years, allowing unauthenticated attackers to gain administrative privileges and add rogue peers to enterprise networks. The campaign, attributed to UAT-8616 and tracked as CVE-2026-20127, included a downgrade-exploit-restore escalation leveraging CVE-2022-20775 and prompted emergency directives and patches from Cisco, CISA and international partners. #UAT-8616 #CVE-2026-20127
Keypoints
- The authentication bypass in Cisco Catalyst SD-WAN (CVE-2026-20127) enabled unauthenticated administrative access and rogue peer insertion.
- Talos attributes the activity to threat actor UAT-8616, which targeted network edge devices to establish persistent footholds in critical organizations.
- Attackers used a downgrade-exploit-restore technique to escalate to root by exploiting CVE-2022-20775 and then restored software to evade detection.
- CISA issued Emergency Directive 26-03 and added the CVEs to its KEV catalog while Cisco released patches as the only full remediation.
- High-fidelity indicators include unexpected peering events, malicious user accounts with cleared history, unauthorized SSH keys, and unexplained interactive root sessions.
Read More: https://thecyberexpress.com/hackers-exploited-cisco-sd-wan-zero-day/