Cisco Warns of SD-WAN Flaw Exploitation
What happened
Cisco is flagging ongoing exploitation of two recently patched vulnerabilities in its Catalyst SD-WAN products. The flaws allow attackers to bypass authentication, making identity controls on these devices critical. This puts a spotlight on the need for Splunk detection rules that monitor for anomalous access and configuration changes on network controllers.
Why it matters
The primary vulnerability, CVE-2026-20127, carries a CVSS score of 10.0, allowing an unauthenticated, remote attacker to completely bypass authentication. This flaw exists because the peering authentication mechanism in Cisco Catalyst SD-WAN Manager and Controller components does not function correctly. Attackers exploiting this flaw can gain administrative privileges, enabling them to manipulate SD-WAN network configurations, insert rogue peer devices, and control network traffic. This access can then be used to establish encrypted malicious connections for lateral movement throughout an organization's infrastructure. A threat actor designated UAT-8616 is actively exploiting this zero-day vulnerability. Two other vulnerabilities, CVE-2026-20122 and CVE-2026-20128, are also being actively exploited in the wild. CVE-2026-20122 is an arbitrary file overwrite flaw, while CVE-2026-20128 is an information disclosure vulnerability; both require an attacker to have already gained some level of authenticated access. This identity-based attack directly undermines the DoD's Zero Trust "User" pillar, which mandates continuous verification of all users to enforce least-privilege access. The compromise of these internet-facing edge devices reinforces the ZT tenet to "assume breach" and highlights
Key numbers
- The primary vulnerability, CVE-2026-20127, carries a CVSS score of 10.0, allowing an unauthenticated, remote attacker to completely bypass authentication.
- A threat actor designated UAT-8616 is actively exploiting this zero-day vulnerability.
- Two other vulnerabilities, CVE-2026-20122 and CVE-2026-20128, are also being actively exploited in the wild.
- CVE-2026-20122 is an arbitrary file overwrite flaw, while CVE-2026-20128 is an information disclosure vulnerability; both require an attacker to have already gained some level of authenticated access.
Quick answers
What happened in Cisco Warns of SD-WAN Flaw Exploitation?
Cisco is flagging ongoing exploitation of two recently patched vulnerabilities in its Catalyst SD-WAN products. The flaws allow attackers to bypass authentication, making identity controls on these devices critical. This puts a spotlight on the need for Splunk detection rules that monitor for anomalous access and configuration changes on network controllers.
Why does Cisco Warns of SD-WAN Flaw Exploitation matter?
The primary vulnerability, CVE-2026-20127, carries a CVSS score of 10.0, allowing an unauthenticated, remote attacker to completely bypass authentication. This flaw exists because the peering authentication mechanism in Cisco Catalyst SD-WAN Manager and Controller components does not function correctly. Attackers exploiting this flaw can gain administrative privileges, enabling them to manipulate SD-WAN network configurations, insert rogue peer devices, and control network traffic. This access can then be used to establish encrypted malicious connections for lateral movement throughout an organization's infrastructure. A threat actor designated UAT-8616 is actively exploiting this zero-day vulnerability. Two other vulnerabilities, CVE-2026-20122 and CVE-2026-20128, are also being actively exploited in the wild. CVE-2026-20122 is an arbitrary file overwrite flaw, while CVE-2026-20128 is an information disclosure vulnerability; both require an attacker to have already gained some level of authenticated access. This identity-based attack directly undermines the DoD's Zero Trust "User" pillar, which mandates continuous verification of all users to enforce least-privilege access. The compromise of these internet-facing edge devices reinforces the ZT tenet to "assume breach" and highlights
