Cisco Warns of SD-WAN Flaw Exploitation
Cisco is flagging ongoing exploitation of two recently patched vulnerabilities in its Catalyst SD-WAN products. The flaws allow attackers to bypass authentication, making identity controls on these devices critical. This puts a spotlight on the need for Splunk detection rules that monitor for anomalous access and configuration changes on network controllers.
The primary vulnerability, CVE-2026-20127, carries a CVSS score of 10.0, allowing an unauthenticated, remote attacker to completely bypass authentication. This flaw exists because the peering authentication mechanism in Cisco Catalyst SD-WAN Manager and Controller components does not function correctly. Attackers exploiting this flaw can gain administrative privileges, enabling them to manipulate SD-WAN network configurations, insert rogue peer devices, and control network traffic. This access can then be used to establish encrypted malicious connections for lateral movement throughout an organization's infrastructure. A threat actor designated UAT-8616 is actively exploiting this zero-day vulnerability. Two other vulnerabilities, CVE-2026-20122 and CVE-2026-20128, are also being actively exploited in the wild. CVE-2026-20122 is an arbitrary file overwrite flaw, while CVE-2026-20128 is an information disclosure vulnerability; both require an attacker to have already gained some level of authenticated access. This identity-based attack directly undermines the DoD's Zero Trust "User" pillar, which mandates continuous verification of all users to enforce least-privilege access. The compromise of these internet-facing edge devices reinforces the ZT tenet to "assume breach" and highlights
