Cisco SD-WAN Zero-Day Exploited for Three Years Before Patch, CISA Issues Emergency Directive
A maximum-severity authentication bypass in Cisco Catalyst SD-WAN has been actively exploited since 2023 by a sophisticated threat actor, prompting a CISA emergency directive requiring federal agencies to patch or disconnect affected systems.
Cisco disclosed on February 25, 2026 that a maximum-severity vulnerability in its Catalyst SD-WAN Controller and Manager products had been actively exploited in the wild since at least 2023 — three years before a patch became available. The flaw, tracked as CVE-2026-20127, carries a CVSS score of 10.0 and allows an unauthenticated remote attacker to bypass authentication and gain administrative privileges simply by sending crafted requests to an exposed device.
The same day Cisco released patches, the U.S. Cybersecurity and Infrastructure Security Agency issued Emergency Directive 26-03, ordering all Federal Civilian Executive Branch agencies to take phased action on a tight timeline. By 11:59 PM ET on February 26, agencies were required to inventory all affected SD-WAN systems, collect forensic artifacts, ensure logs were stored externally, and submit an initial summary report to CISA. A separate deadline of 5:00 PM ET on February 27 required agencies to apply Cisco patches for CVE-2026-20127 and CVE-2022-20775. Further compliance deadlines extend into early March: a detailed inventory and documentation submission is due March 5, and a network hardening report is due March 12.
A Three-Year Blind Spot in Enterprise Networking
The vulnerability affects two cornerstone products in Cisco’s SD-WAN platform: the Catalyst SD-WAN Controller (formerly known as vSmart) and the Catalyst SD-WAN Manager (formerly vManage). Both serve as the nerve centers of software-defined wide-area networks, handling policy orchestration and device management across distributed enterprise environments.
According to Cisco’s Talos threat intelligence team, the exploitation campaign has been attributed with high confidence to a group tracked as UAT-8616, described as “a highly sophisticated cyber threat actor.” Cisco has not publicly linked UAT-8616 to a specific nation-state, though the group’s methods and targets are consistent with advanced persistent threat operations aimed at strategic network infrastructure.
The root cause of CVE-2026-20127 is a flaw in the SD-WAN platform’s peering authentication mechanism, which, as Tenable researchers noted, “is not working properly.” By sending specially crafted requests, an attacker can log into an affected device as a high-privileged user without any credentials.
How UAT-8616 Operated Inside Targeted Networks
Once inside, UAT-8616 followed a multi-stage intrusion chain designed to establish long-term persistence. According to SOC Prime’s analysis, the group’s post-exploitation playbook included:
- Adding a rogue peer device to the SD-WAN fabric, giving attackers a persistent foothold within the network’s management and control planes
- Using NETCONF protocol access to manipulate device configuration
- Chaining CVE-2026-20127 with a second vulnerability, CVE-2022-20775, through version downgrade and restoration sequences to escalate privileges to root
- Purging system logs and modifying startup scripts to cover their tracks and survive reboots
The combination of authentication bypass, configuration manipulation, and privilege escalation gave attackers the ability to intercept, redirect, or disrupt traffic crossing the compromised SD-WAN fabric — a level of access with serious implications for enterprises and government agencies relying on Cisco’s platform for secure wide-area connectivity.
Security teams investigating potential compromises have been directed to audit specific log files on affected systems, including /var/log/auth.log for suspicious entries such as “Accepted publickey for vmanage-admin” originating from unknown IP addresses, as well as debug logs that may reveal downgrade or reboot activity used in the persistence chain.
No Workarounds: Patching Is the Only Fix
Cisco confirmed that no workarounds exist that fully address CVE-2026-20127. The only complete remediation is upgrading to a fixed software release. Affected versions span releases prior to 20.9.1 through 20.18, with some versions — including 20.11, 20.13, 20.14, and 20.16 — having reached end-of-maintenance status, complicating patching for organizations running older deployments.
The vulnerability affects multiple deployment models, including on-premises installations, Cisco-hosted SD-WAN Cloud environments (standard, managed, and FedRAMP variants). CISA and NSA, alongside international cybersecurity agencies, jointly released a threat-hunting guide to assist network defenders in identifying signs of compromise.
Both CVE-2026-20127 and the chained privilege-escalation flaw CVE-2022-20775 have been added to CISA’s Known Exploited Vulnerabilities catalog. Under Binding Operational Directive 22-01, federal agencies are required to remediate all KEV-listed vulnerabilities on a defined schedule.
Implications for Enterprise SD-WAN Security
The disclosure highlights a persistent challenge in securing network control-plane infrastructure: vulnerabilities in management systems like SD-WAN controllers can undermine the security of an entire enterprise network without triggering conventional endpoint-focused defenses. SD-WAN platforms are increasingly deployed at scale in government agencies, financial institutions, healthcare networks, and multinational corporations, making a CVSS 10.0 flaw in their management layer a high-value target for sophisticated threat actors.
The three-year gap between initial exploitation and public disclosure — and the subsequent patch — also underscores the difficulty of attributing and detecting advanced intrusions against network infrastructure, where attackers can operate quietly within management channels while blending into legitimate administrative activity.