What It Is
A critical vulnerability designated as CVE-2026-20127 has been actively exploited in the wild. This flaw has a maximum CVSS severity score of 10.0 and allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on affected systems. A second, high-severity privilege escalation bug in the CLI of Cisco SD-WAN Software, CVE-2022-20775, with a CVSS score of 7.8, has been used in the attack chain. The activity has been attributed to threat actor group UAT-8616 and was reported by the Australian Signals Directorate's Australian Cyber Security Centre.
Who Is Affected
The vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, specifically their peering authentication mechanism. Affected release trains include 20.9, 20.12, 20.15, and 20.18 prior to their respective fixed releases. Organisations running these vulnerable versions are at risk.
Cisco has released fixes for the vulnerability. Affected systems should be updated to the following fixed versions: 20.9.8.2, 20.12.6.1, 20.12.5.3, 20.15.4.2, or 20.18.2.1.
How It Works
The attack begins by exploiting the CVE-2026-20127 zero-day to gain elevated access. In documented attacks, the initial compromise involves an unauthenticated remote attacker bypassing authentication and obtaining administrative privileges by sending a crafted request. Once initial access is achieved, threat actors have been found to log in to the system as an internal, high-privileged, non-root user account.
In observed incidents, attackers then leverage this access to create a rogue peer joined to the network management plane, or control plane. They also manipulate the network configuration for the SD-WAN fabric. To establish persistence, attackers have been seen to create local user accounts that mimicked other local user accounts and add a Secure Shell Protocol (SSH) authorised key for root access.
Subsequently, in the attack chain, threat actors escalate to the root user by exploiting the previously mentioned authenticated local CLI vulnerability, CVE-2022-20775. With root access, they have been observed modifying SD-WAN-related start-up scripts to customise the environment. Attackers use Network Configuration Protocol on port 830 (NETCONF) and SSH to connect to and between Cisco SD-WAN appliances within the management plane. A key evasion technique used involves leveraging the built-in update mechanism to stage a software version downgrade. After completing their objectives, attackers have reportedly restored the software back to the version it was originally running to hide their activity. Finally, there is clear evidence of the intrusion being concealed by purging logs under '/var/log', command history, and network connection history.
What To Do
The primary mitigation is to migrate affected systems to the fixed software versions: 20.9.8.2, 20.12.6.1, 20.12.5.3, 20.15.4.2, or 20.18.2.1.
A number of detection and investigation steps are also recommended. Organisations should audit the "/var/log/auth.log" file for entries related to "Accepted publickey for vmanage-admin" from unknown or unauthorised IP addresses. Additionally, it is advised to check the IP addresses found in the auth.log file against the configured System IPs that are listed in the Cisco Catalyst SD-WAN Manager web UI.
To check for evidence of a version downgrade and unexpected reboot events, security teams should review SD-WAN debug logs and collect admin-tech outputs. Finally, federal agencies are required to inventory their SD-WAN devices as part of the mitigation effort.