CVE-2026-20127: Critical Cisco SD-WAN Zero-Day Exploited Since 2023 — What You Need to Do Now

Breaking: CISA Emergency Directive 26-03

On February 25, 2026, CISA issued Emergency Directive 26-03 requiring all Federal Civilian Executive Branch agencies to patch Cisco SD-WAN systems by February 27, 2026. If you run Cisco Catalyst SD-WAN (formerly Viptela), this is a drop-everything priority.

CVE-2026-20127 is a CVSS 10.0 authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage) that has been actively exploited since at least 2023 by a sophisticated threat actor tracked as UAT-8616.

Vulnerability Summary

| Detail | Information | |--------|-------------| | CVE ID | CVE-2026-20127 | | CVSS Score | 10.0 (Critical) | | Attack Vector | Network (remote, unauthenticated) | | Complexity | Low | | Affected Products | Cisco Catalyst SD-WAN Controller, SD-WAN Manager | | Exploit Status | Actively exploited in the wild | | Threat Actor | UAT-8616 (suspected Chinese state-sponsored) | | Exploited Since | At least 2023 | | CISA Directive | ED 26-03 — patch by Feb 27, 2026 |

How the Attack Works

Step 1: Authentication Bypass

The vulnerability exists in the peering authentication mechanism between SD-WAN controllers. An unauthenticated remote attacker can send crafted requests to bypass authentication and gain administrative privileges on the SD-WAN Controller.

Attacker ──── Crafted Request ────→ SD-WAN Controller
                                      │
                                      ▼
                              Authentication Bypassed
                              Admin Access Granted

Step 2: Privilege Escalation to Root

After gaining admin access, UAT-8616 escalated to root by performing a software version downgrade — exploiting the fact that older SD-WAN versions contained a known local privilege escalation vulnerability (CVE-2022-20775).

Admin Access → Downgrade SD-WAN Version → Exploit CVE-2022-20775 → Root

Step 3: Persistence and Lateral Movement

Once root was achieved, the attacker:

• Upgraded the Controller back to its previous version (hiding the downgrade)
• Created local user accounts for persistent access
• Used NETCONF and SSH for lateral movement across the SD-WAN fabric
• Added malicious rogue peers to the SD-WAN overlay network

Root Access
  ├── Create backdoor user accounts
  ├── Restore original software version (cover tracks)
  ├── Add rogue SD-WAN peers to overlay
  ├── NETCONF lateral movement to other controllers
  └── SSH tunnelling through SD-WAN fabric

Step 4: Network Compromise

With rogue peers in the SD-WAN fabric, the attacker could:

• Intercept and modify traffic flowing through the overlay
• Redirect traffic to attacker-controlled infrastructure
• Access any site connected to the SD-WAN
• Maintain persistent, stealthy access across the entire WAN

Am I Affected?

You are affected if you run any version of:

• Cisco Catalyst SD-WAN Controller (formerly vSmart Controller)
• Cisco Catalyst SD-WAN Manager (formerly vManage)

This includes:

• On-premises deployments
• Cloud-hosted SD-WAN instances
• Hybrid deployments

Quick Check

# Check your SD-WAN Controller version
show version

# Check for unexpected user accounts
show running-config | include username

# Check SD-WAN peer list for unknown peers
show omp peers

# Check for recent configuration changes
show configuration history

Immediate Actions Required

Step 1: Identify All SD-WAN Systems

# Network scan for SD-WAN management ports
nmap -p 8443,8444,830,443 -sV 10.0.0.0/8 --open

# Ports to look for:
# 8443 — vManage web interface
# 8444 — vManage cluster messaging
# 830  — NETCONF
# 443  — REST API

Step 2: Collect Forensic Evidence (Before Patching)

Do not patch first — collect evidence to determine if you've been compromised:

# On SD-WAN Controller/Manager:

# 1. Check for unknown local accounts
show running-config | include username
# Compare against your known account list

# 2. Check OMP peer table for rogue peers
show omp peers
# Any peer you don't recognise = potential compromise

# 3. Check for software version changes
show software versions
show install history
# Look for unexpected upgrades/downgrades

# 4. Export all logs
request admin tech-support
# Save the tech-support file for forensic analysis

# 5. Check NETCONF sessions
show netconf sessions
# Active sessions from unknown IPs = compromise indicator

Step 3: Ensure External Log Storage

Attackers may tamper with local logs. Ensure you have:

• Syslog forwarding to an external SIEM (Wazuh, Splunk, Elastic)
• SNMP trap forwarding to external NMS
• NetFlow/IPFIX export to external collector

# Verify syslog configuration
show logging

# Verify SNMP trap destination
show snmp trap

Step 4: Apply the Patch

Cisco has released patches for all affected versions:

# Check current version
show version

# Download and install the patch from Cisco
# Follow Cisco's advisory for your specific version:
# https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-auth-bypass

request software install <patch-filename>

Step 5: Post-Patch Verification

# Verify patch was applied
show version

# Re-check for unknown accounts
show running-config | include username

# Verify OMP peer table is clean
show omp peers

# Monitor for anomalous activity over next 72 hours
# Set up alerts for:
# - New user account creation
# - NETCONF sessions from unexpected sources
# - OMP peer changes
# - Software version changes

Detection with SNMP and NMS

If you're using SNMP monitoring (Zabbix, LibreNMS), add these checks:

Zabbix Detection Items

# Monitor for configuration changes
Item: snmptrap["ciscoConfigManEvent"]
Trigger: Configuration changed on {HOST.NAME}
Severity: High

# Monitor for new user logins
Item: snmptrap["authenticationFailure"]
Trigger: Authentication failure on {HOST.NAME}
Severity: Warning

# Monitor uptime (reboot = possible exploitation)
Item: sysUpTime
Trigger: {HOST.NAME} rebooted unexpectedly
Severity: Critical

Zeek / Network Traffic Analysis

# Look for NETCONF traffic from unexpected sources
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p | grep ":830"

# Look for SSH sessions to SD-WAN controllers from unusual sources
cat ssh.log | zeek-cut id.orig_h id.resp_h auth_success | grep "T"

# Look for large data transfers from SD-WAN management IPs
cat conn.log | zeek-cut id.orig_h id.resp_h orig_bytes | \
  awk '$3 > 100000000' | sort -t'	' -k3 -rn

Indicators of Compromise (IoCs)

Based on Cisco Talos analysis of UAT-8616 activity:

Behavioural indicators:

• Unexpected SD-WAN software version changes (downgrade then upgrade)
• New local user accounts not created by your team
• Unknown OMP peers in the SD-WAN fabric
• NETCONF sessions from unrecognised IP addresses
• SSH tunnels through SD-WAN overlay to unusual destinations
• Configuration changes outside maintenance windows

Network indicators:

• Connections to SD-WAN management ports (8443, 8444, 830) from external IPs
• Unusual NETCONF traffic patterns
• DNS queries to suspicious domains from SD-WAN controllers

Long-Term Recommendations

1. Network Segmentation

Ensure SD-WAN management interfaces are not accessible from the internet or untrusted networks:

# ACL on management interface
ip access-list extended SD-WAN-MGMT
  permit tcp 10.0.0.0 0.255.255.255 host 10.20.1.1 eq 8443
  permit tcp 10.0.0.0 0.255.255.255 host 10.20.1.1 eq 830
  deny   ip any host 10.20.1.1

2. Multi-Factor Authentication

Enable MFA for all SD-WAN management access — console, web UI, and API.

3. Continuous Monitoring

Deploy network detection and response (NDR) tools that understand SD-WAN protocols and can detect anomalous peer additions or configuration changes.

4. Incident Response Plan

Update your IR plan to include SD-WAN compromise scenarios. Know who to call, what evidence to collect, and how to isolate affected controllers without disrupting the entire WAN.

Timeline

| Date | Event | |------|-------| | ~2023 | UAT-8616 begins exploiting CVE-2026-20127 | | Feb 24, 2026 | Cisco discloses vulnerability and releases patches | | Feb 25, 2026 | CISA issues Emergency Directive 26-03 | | Feb 25, 2026 | Cisco Talos publishes UAT-8616 analysis | | Feb 27, 2026 | CISA deadline for federal agencies to patch |

Frequently Asked Questions

Does this affect Cisco IOS-XE SD-WAN?

The advisory specifically targets Cisco Catalyst SD-WAN Controller and Manager (the Viptela-based platform). Check Cisco's security advisory for the complete list of affected product versions and IDs.

Can the attacker intercept my SD-WAN traffic?

Yes. By adding rogue peers to the SD-WAN fabric, an attacker can potentially intercept, modify, or redirect traffic flowing through the overlay network. This makes the vulnerability especially dangerous for organisations handling sensitive data.

We already patched — are we safe?

Patching closes the vulnerability but does NOT remove any backdoors or rogue peers installed before patching. You must also check for indicators of compromise — unknown user accounts, rogue OMP peers, and unexplained configuration changes. If you find any, engage your incident response team.

Should I take my SD-WAN offline?

Only if you have confirmed compromise and cannot isolate the affected controllers. Taking SD-WAN offline will disrupt all sites connected through the overlay. A better approach is to restrict management access to trusted IPs only and monitor closely while patching.