Three Years Undetected: The Cisco SD-WAN Zero-Day That Triggered a Five-Eyes Alert

Overview

A zero-day vulnerability in Cisco Catalyst SD-WAN controllers has been actively exploited since at least 2023, and it took the combined efforts of CISA, Cisco Talos, and all five Five-Eyes intelligence partners to bring it to light. CVE-2026-20127 allows an unauthenticated remote attacker to bypass authentication on Cisco Catalyst SD-WAN Controller (formerly vSmart) systems, gaining administrative access with a single crafted request. CISA responded by issuing Emergency Directive ED-26-03, and federal agencies have been given days to take action.

This is the second time in less than a year that actively exploited zero-days in Cisco edge technology have prompted a CISA emergency directive. For organizations running SD-WAN infrastructure, the message is clear: this is not hypothetical risk.

Technical Details

CVE-2026-20127 targets the Cisco Catalyst SD-WAN Controller, the central management plane that orchestrates routing policy, security, and configuration across an organization’s SD-WAN fabric. Successful exploitation lets an unauthenticated attacker send a crafted request to the controller and obtain administrative privileges as an internal, high-privileged, non-root user account.

But the attackers did not stop at admin access.

Cisco Talos, which tracks this activity under the designation UAT-8616, found that after gaining administrative control, the threat actor performed a deliberate software version downgrade on compromised controllers. That downgrade reverted the system to a version vulnerable to CVE-2022-20775, a previously patched privilege escalation flaw. The actor then exploited CVE-2022-20775 to escalate from admin to full root on the underlying operating system, and then restored the original software version to cover their tracks.

Douglas McKee, director of vulnerability intelligence at Rapid7, described the technique to CyberScoop: “That downgrade step shows deliberate knowledge of product versioning and patch history. This is not opportunistic scanning. This is structured tradecraft.”

The attack chain breaks down as:

1. Exploit CVE-2026-20127 to bypass authentication and gain admin access
2. Downgrade the controller software to a version vulnerable to CVE-2022-20775
3. Exploit CVE-2022-20775 for root-level privilege escalation
4. Restore the original software version to evade detection

Intelligence partners confirmed this exploitation chain had been active since at least 2023. The Five-Eyes joint threat hunting guide notes that all member nations were aware CVE-2026-20127 was identified and confirmed actively exploited in late 2025, though disclosure and patching did not come until February 2026. Neither CISA nor Cisco has publicly explained that two-month gap.

Detection Indicators

Cisco Talos published detailed forensic guidance for identifying compromise. High-fidelity indicators include:

• Unauthorized control connection peering events in SD-WAN logs, particularly vManage peering types from unrecognized IP addresses or at unexpected times
• Creation and deletion of user accounts with missing bash_history or cli-history files
• Interactive root sessions with unaccounted SSH keys (check /home/root/.ssh/authorized_keys and /home/vmanage-admin/.ssh/authorized_keys)
• Abnormally small or zero-byte log files, including syslog, wtmp, lastlog, and cli-history
• Evidence of unauthorized software version downgrades and upgrades accompanied by system reboots
• Path traversal strings in username fields (e.g., ”/../../”), indicating exploitation of CVE-2022-20775

Talos also released Snort signatures 65938 and 65958 for network-level detection.

Impact

SD-WAN controllers sit at the top of the network management hierarchy. Compromising one gives an attacker the ability to manipulate routing policy, intercept traffic, push configuration changes to edge devices, and maintain persistent access across the entire WAN fabric. Root access on that controller makes the attacker essentially invisible to standard operational monitoring.

The scope of this campaign is global. During a media briefing, Nick Andersen, CISA’s executive assistant director for cybersecurity, confirmed that attackers exploited vulnerabilities in targeted systems to access and potentially compromise federal networks. He declined to identify specific victims or say when CISA first became aware of the activity.

Talos assessed UAT-8616 with high confidence as a “highly sophisticated cyber threat actor.” Authorities refrained from formally attributing the attacks to any nation-state, though experts noted the operational patterns point in one direction. Ben Harris, founder and CEO of watchTowr, observed that the three-year dwell time showcases “the attackers’ surgical use of vulnerabilities and the highly targeted nature of their campaign.” McKee added that the operational discipline on display aligns “more closely with state-sponsored espionage tradecraft than financially motivated crime.”

CISA added both CVE-2022-20775 and CVE-2026-20127 to its Known Exploited Vulnerabilities catalog, making patching a legal requirement for federal civilian agencies.

For enterprises, the implications go beyond a single patch cycle. If your SD-WAN controllers have been running unpatched since 2023, the question is not whether to apply the update. The question is whether you have already been compromised.

Recommended Actions

CISA’s emergency directive sets the minimum bar for federal agencies. Private sector organizations should match or exceed it.

1. Inventory all Cisco Catalyst SD-WAN systems immediately. Identify every vSmart controller, vManage instance, and vBond orchestrator in your environment. Include systems that may have been decommissioned but remain network-accessible.

2. Apply Cisco’s security updates. Cisco has published patches addressing CVE-2026-20127. Follow the guidance in Cisco’s security advisory.

3. Collect and preserve logs before patching. Forensic evidence of compromise can be destroyed by patching or rebooting. Preserve syslog, wtmp, lastlog, cli-history, and bash_history files from all controllers before applying updates.

4. Hunt for evidence of compromise. Review control connection peering events for unauthorized peers. Check for signs of software version downgrades. Look for SSH keys in /home/root/.ssh/ and /home/vmanage-admin/.ssh/ that your team did not provision. The Australian Cyber Security Centre’s threat hunting guide provides detailed step-by-step procedures.

5. Implement Cisco’s hardening guide. Cisco published a dedicated hardening guide for Catalyst SD-WAN deployments. Apply it regardless of whether you find evidence of compromise.

6. Consider rebuilding compromised systems. If you find indicators of compromise, patching alone is insufficient. As watchTowr’s Ben Harris put it: “Cisco’s advice to fully rebuild and look for prior signs of intrusion should be taken seriously.”

7. Deploy network-level detection. Implement Talos Snort signatures 65938 and 65958 in your IDS/IPS infrastructure to catch exploitation attempts on the wire.

How Codex Can Help

If you are running Cisco SD-WAN infrastructure and need expert support responding to this threat, reach out to us.

• Compromise Assessment: We conduct thorough forensic reviews of SD-WAN controllers to determine whether UAT-8616 or similar actors have established a foothold in your environment.
• Incident Response: If you discover evidence of compromise, our IR team can help contain the breach, preserve evidence, and guide the rebuild process.
• Network Architecture Review: We assess SD-WAN deployments against Cisco’s hardening guide and industry best practices to reduce your exposure to edge device attacks.
• Threat Hunting: Our analysts use the Five-Eyes threat hunting guidance to proactively search for indicators of compromise across your network infrastructure.

Whether you need a quick health check or full-scale incident response, we are ready to help.