Critical Flaw Hits Cisco SD-WAN

This zero-day flaw, with a perfect 10.0 CVSS score, is rooted in a broken peering authentication mechanism within the Cisco Catalyst SD-WAN Controller and Manager. An unauthenticated, remote attacker can send crafted requests to bypass authentication, gaining high-privilege access to the core of the network's management plane. Exploitation has been attributed to a sophisticated threat actor, tracked by Cisco as UAT-8616, with evidence of malicious activity dating back to at least 2023. The issue was first identified and reported by Australian cybersecurity authorities after observing real-world attacks. The attack chain involves more than just this single vulnerability. After gaining initial access with CVE-2026-20127, the actor has been observed downgrading the system's software to exploit an older privilege escalation flaw, CVE-2022-20775, in order to gain full root access. This technique of chaining vulnerabilities and then restoring the original software version is a hallmark of an advanced persistent threat, complicating forensic analysis. The goal is to add a rogue, actor-controlled peer into the SD-WAN fabric, allowing for persistent, trusted access to manipulate network configurations and traffic. The flaw impacts all deployment types, including on-premise and Cisco-hosted cloud environments, leaving a wide range of enterprise and government networks vulnerable. The severity prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive, requiring federal agencies to apply patches by February 27, 2026. For defenders and aspiring pen testers, a key indicator of compromise is found in system logs. Security teams are advised to audit `/var/log/auth.log` for entries showing "Accepted publickey for vmanage-admin" originating from unknown or unauthorized IP addresses.