Cisco SD-WAN Zero-Day (CVE-2026-20127) Exploited Since 2023 by Sophisticated APT

• .What: Authentication bypass in Cisco Catalyst SD-WAN Controller and Manager - unauthenticated full admin access via forged DTLS peering message.
• .CVE: CVE-2026-20127 (CVSS 10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). CWE-287. Bug ID: CSCws52722.
• .Who: All Cisco Catalyst SD-WAN deployments - On-Prem, Cisco Hosted Cloud, Cisco Managed, and FedRAMP. ~600 internet-facing instances (Censys); ~150 with NETCONF/SSH directly exposed.
• .How: Forged CHALLENGE_ACK_ACK message (msg_type=10) to vdaemon DTLS handler sets authenticated=1 without cryptographic validation. Second chain: unauthenticated DCA credential retrieval + reserved system account login + path traversal webshell.
• .Data: Complete WAN fabric configuration, routing policies, VPN credentials, NETCONF management data, network traffic interception capability.
• .Actor: UAT-8616 (Cisco Talos). Assessed highly sophisticated, nation-state-aligned. ~3 years active. Tenable draws parallels to Salt Typhoon and Volt Typhoon.
• .CVEs: CVE-2026-20127 (10.0), chained with CVE-2022-20775 (7.8). Plus 5 companion CVEs. 5 of 7 total actively exploited.
• .Impact: Five Eyes Joint Advisory PP-26-0656. CISA ED 26-03 (48-hour federal patch deadline). FedRAMP NTC-0006. NHS England CC-4748. Canada AL26-004. Singapore AL-2026-019. Two public PoC exploits.

On February 25, 2026, Cisco published security advisory cisco-sa-sdwan-rpa-EHchtZk disclosing CVE-2026-20127. The vulnerability was reported by Australia's ASD ACSC - indicating discovery during an active compromise investigation.

Cisco simultaneously disclosed five additional SD-WAN vulnerabilities: CVE-2026-20122 (CVSS 5.4, arbitrary file overwrite), CVE-2026-20126 (CVSS 8.8, local privilege escalation), CVE-2026-20128 (CVSS 7.5, DCA credential exposure), CVE-2026-20129 (CVSS 9.8, unauthenticated API access as netadmin), and CVE-2026-20133 (CVSS 7.5, unauthenticated file read).

CISA added both CVE-2026-20127 and CVE-2022-20775 to its KEV catalog the same day and issued Emergency Directive ED 26-03.

Within hours, the Five Eyes intelligence alliance - NSA, CISA, ASD ACSC, Canadian Centre for Cyber Security, NCSC-NZ, and NCSC-UK - released joint advisory PP-26-0656 titled "Exploitation of Cisco SD-WAN Appliances" through the Department of Defense.

The advisory confirmed global exploitation of critical infrastructure by a sophisticated threat actor. " NHS England issued Cyber Alert CC-4748. Canada issued AL26-004. Singapore issued AL-2026-019.

On March 5, Cisco updated its companion advisory to confirm CVE-2026-20128 and CVE-2026-20122 were also being actively exploited, bringing the total to five of seven SD-WAN CVEs under active attack.

On March 11, Rapid7 published a full root cause analysis with binary-level exploitation details. Two public PoC exploits appeared on GitHub - one from Rapid7 targeting the DTLS peering handler, and one from zerozenxlabs demonstrating an HTTP-based pre-auth RCE chain.

This disclosure occurred during a broader crisis for Cisco's edge infrastructure.

Within three weeks of February 25, Cisco disclosed 9 total critical/high-severity vulnerabilities across SD-WAN and Secure Firewall Management Center, with 5 confirmed actively exploited - including CVE-2026-20131 (CVSS 10.0, FMC insecure deserialization exploited by Interlock ransomware for 36 days before disclosure).

" Multiple indicators point to nation-state alignment: the three-year dwell time is characteristic of intelligence-focused operations; the targeting of critical infrastructure mirrors PRC-linked campaigns; Tenable explicitly drew comparisons to Salt Typhoon (3+ years in a single telecom) and Volt Typhoon (up to 5 years in US critical infrastructure).

Cisco recently tracked a separate China-nexus group, UAT-9686, exploiting a different Cisco zero-day.

UAT-8616's post-exploitation tradecraft is exceptionally disciplined: creates rogue local accounts mimicking legitimate system accounts; injects SSH authorized keys for persistent vmanage-admin access; adds rogue peers to the SD-WAN fabric via NETCONF; modifies startup scripts for boot persistence; performs deliberate software downgrade to reintroduce CVE-2022-20775; escalates to root via path traversal; restores the original software version so the device appears correctly versioned when checked; purges /var/log, clears bash_history, and removes connection history.

This "downgrade-exploit-restore" technique is the campaign's signature - converting the platform's own update mechanism into an exploitation tool while producing minimal forensic artifacts.

Compromising an SD-WAN Controller or Manager gives an attacker control over an organization's entire wide-area network fabric:

Complete SD-WAN fabric configuration - network topology maps, VLAN assignments, interface configurations, and routing policies for every site.

VPN tunnel credentials and certificates - IPsec/DTLS keys, certificate authorities, and device authentication credentials for all edge routers.

Network traffic interception and manipulation - the controller pushes routing policy to all edge devices; an attacker can redirect traffic through attacker-controlled nodes. NETCONF management data - full read/write access to device configurations across the fabric.

Edge device configurations - every managed Cisco IOS XE router has its configuration stored centrally. Authentication and access control data - local accounts, RADIUS/TACACS+ configs, SSH keys.

For a nation-state adversary targeting critical infrastructure, this represents strategic intelligence collection capability: the ability to map, monitor, and manipulate an organization's entire WAN communications at will, potentially for years without detection.

1. Broken Peering Authentication (CWE-287). The vbond_proc_challenge_ack_ack() handler in vdaemon trusts a single byte (verify_status) in an incoming CHALLENGE_ACK_ACK message. Setting this byte to 0x01 causes the server to write authenticated=1 without cryptographic validation.

The message type (msg_type=10) is exempt from authentication gates. A 14-byte forged message achieves full authentication.

2. NETCONF Exposed Without Access Controls. Port 830 and port 22 were exposed to the internet on ~25% of internet-facing instances. Cisco did not restrict NETCONF to known system IPs until Release 20.18.1 (2025) - all prior versions exposed it by default.

3. Reserved System Account with Static Credentials. The viptela-reserved-dca system account holds admin privileges and its 32-character credential is retrievable without authentication from an API endpoint. A backdoor-equivalent path to full admin access.

4. No Software Downgrade Prevention. The update mechanism permits arbitrary version downgrades without integrity validation or alerting. UAT-8616 exploited this to roll back to versions vulnerable to CVE-2022-20775, exploit root, then restore.

5. No Management Plane Isolation. SD-WAN management interfaces were internet-accessible in affected deployments. The control plane was not segmented from general network access.

6. Insufficient Logging and Monitoring. Three-year dwell time with log purging going undetected. No external log aggregation or integrity monitoring.

CVE IDs:

• .CVE-2026-20127 - CVSS 10.0, Authentication bypass in Cisco Catalyst SD-WAN Controller/Manager
• .CVE-2022-20775 - CVSS 7.8, Privilege escalation in SD-WAN CLI (used in post-exploitation)
• .CVE-2026-20122 - Arbitrary file overwrite (actively exploited)
• .CVE-2026-20128 - DCA credential exposure (actively exploited)
• .CVE-2026-20129 - CVSS 9.8, Unauthenticated API access as netadmin

Government Advisories:

• .Five Eyes Joint Advisory PP-26-0656
• .CISA Emergency Directive ED 26-03
• .CISA KEV: CVE-2026-20127 and CVE-2022-20775

Vulnerable Function:

• .vbond_proc_challenge_ack_ack() at 0x38AB7 in vdaemon binary
• .Forged 14-byte message: msg_type=10 (CHALLENGE_ACK_ACK)
• .Non-zero verify_status byte sets authenticated=1

Affected Ports:

• .UDP/12346 - vSmart peering
• .HTTPS/443 - vManage web management
• .TCP/830 - NETCONF
• .TCP/22 - SSH

Internet Exposure:

• .~600 SD-WAN Manager instances internet-facing (Censys)
• .~150 also exposing NETCONF or SSH

Threat Actor:

• .UAT-8616 (Cisco Talos) - Likely nation-state, active since 2023

UAT-8616 Post-Exploitation TTPs:

• .Creates rogue local accounts mimicking system accounts
• .Injects SSH authorized keys for persistent access
• .Adds rogue peers to SD-WAN fabric via NETCONF
• .Software downgrade to reintroduce CVE-2022-20775, then restores
• .Purges /var/log, clears bash_history

• .T1190 - Exploit Public-Facing Application
• .T1098.004 - SSH Authorized Keys
• .T1601.001 - Patch System Image (downgrade-exploit-restore)
• .T1070.002 - Clear System Logs
• .T1136.001 - Create Local Account

• .CISA Emergency Directive ED 26-03 - Mandatory for all FCEB agencies. Inventory by Feb 26; patch by Feb 27 5PM ET; detailed report by Mar 5; hardening report by Mar 12; CLAW log submission by Mar 23. If root access detected: rebuild from scratch.

• .FedRAMP NTC-0006 - All authorized CSPs must respond. Patch by Feb 27 5PM ET regardless of impact level.

• .CISA BOD 22-01 (KEV) - CVE-2026-20127 and CVE-2022-20775 added Feb 25. 24-hour remediation window.

• .FISMA / NIST SP 800-53 - Non-compliance with AC-2, AC-17, AU-6, CM-6, CM-7, IA-2, SI-2, SI-4.

• .SEC 8-K Disclosure - Public companies with compromised SD-WAN may have material incidents requiring disclosure.

• .GDPR Article 32 - Failure to secure network infrastructure handling EU personal data. 72-hour DPA notification if data transited compromised links. Fines up to EUR 20M or 4% turnover.

• .UK GDPR / DPA 2018 - ICO enforcement. UK NCSC explicitly warned UK organisations. Fines up to GBP 17.5M or 4%.

• .HIPAA - Covered entities whose PHI transited compromised SD-WAN face Security Rule violations and 60-day notification.

• .Saudi PDPL / NCA ECC - Organizations running Cisco SD-WAN for critical infrastructure. PDPL fines up to SAR 5M. NCA mandatory incident reporting.

• .UAE PDPL - Fines up to AED 10M. TDRA notification requirements.

1. Isolate SD-WAN Management Plane from Internet Access - vSmart (UDP/12346), vManage (HTTPS/443), NETCONF (TCP/830) must never be directly internet-accessible. Dedicated out-of-band management network with strict IP allowlisting.

2. Implement Software Integrity and Downgrade Prevention - Deploy continuous integrity monitoring that detects and alerts on any software version change. File hash monitoring (Tripwire/AIDE) that cannot be disabled from the managed device.

3. Restrict and Audit NETCONF/SSH Access - Lock TCP/830 and TCP/22 to authorized management IPs. Audit all SSH authorized_keys changes in real-time. Alert on any key addition to vmanage-admin or root.

4. Export Logs to Immutable External Storage - Forward SD-WAN device logs in real-time to a SIEM that cannot be modified from the managed device. UAT-8616 purged logs for three years - external aggregation would have preserved evidence.

5. Monitor for Rogue Peers and Configuration Drift - Continuous SD-WAN fabric integrity monitoring detecting unauthorized peer additions and routing policy modifications.

6. Assume Compromise and Hunt - Any organization that ran internet-facing Cisco SD-WAN prior to February 27, 2026 should assume potential compromise.

Check: /var/log/auth.log for unauthorized publickey entries, vdebug for unexpected downgrades, rogue fabric peers, unauthorized SSH keys, modified startup scripts, truncated logs. If root access confirmed, rebuild from scratch per ED 26-03.

Cisco PSIRT (cisco-sa-sdwan-rpa-EHchtZk, cisco-sa-sdwan-authbp-qwCX8D4v), NVD (CVE-2026-20127, CVE-2022-20775), Cisco Talos (blog.talosintelligence.com/uat-8616-sd-wan), CISA (ED 26-03, Supplemental Direction, KEV), Five Eyes Joint Advisory PP-26-0656, FedRAMP NTC-0006, Rapid7 Labs, Tenable, The Hacker News, Help Net Security, BleepingComputer, SecurityWeek, CyberScoop, Infosecurity Magazine, Security Affairs, Greenbone, Censys, Sophos, SOC Prime, eSecurity Planet, Arctic Wolf, ASD ACSC, UK NCSC, NHS England (CC-4748), CCCS (AL26-004), Singapore CSA (AL-2026-019)