Urgent warning over Cisco SD-WAN exploitation - CVSS 10, pre-auth RCE
Cisco flags critical CVSS 10 bug - Five Eyes agencies team up in threat detection guide.
vulnerabilities
A critical CVSS vulnerability allocated CVE-2026-20127 in Cisco Catalyst SD-WAN products has been exploited in the wild since 2023.
Five Eyes agencies today issued an urgent alert over exploitation of multiple vulnerabilities in Cisco Catalyst SD-WAN products – calling for threat hunting and organisations to report exploitation to them.
The vulnerability above lets an unauthenticated, remote attacker bypass authentication and obtain admin privileges on an affected system.
Alarmingly, it affects all of the following:
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud - Cisco Managed
- Cisco Hosted SD-WAN Cloud - FedRAMP Environment
Organisations should perform threat hunting for evidence of compromise detailed in this Cisco SD-WAN Threat Hunt Guide – which is co-signed by the ACSC, NCSC, NSA, CISA, CCCS, and NCSC-NZ.
Strangely (?!), the guide itself doesn’t name CVE-2026-20127 itself. That’s despite Cisco acknowledging its exploitation today (February 25) in a security update and attributing disclosure to one of the guide’s signatories, the Australian Cyber Security Centre.
CISCO SD-WAN exploitation: Rogue peers
The agencies said “since 2023, at least one malicious cyber actor compromised Cisco SD-WANs via a previously unknown vulnerability, identified in late 2025 to be a zero-day exploit” that is now patched.
The Stack has contacted the NCSC to confirm it is referring to CVE-2026-20127.
The report also cites exploitation and provides IOCs for exploitation of CVE-2022-22775; a local privilege escalation (to root: gulp) bug in the same product that CISA added to its known-exploited catalogue today.
The actor used Network Configuration Protocol on port 830 (NETCONF) and SSH to connect to/between Cisco SD-WAN appliances within the management plane. The actor likely used the web interface of the SD-WAN manager to perform operations on the SD-WAN - Five Eyes.
Crucially, the zero day in question lets “a malicious cyber actor create a rogue peer joined to the network management plane, or control plane, of an organisations SD-WAN. The rogue device appears as a new but temporary, actor-controlled SD-WAN component that can conduct trusted actions within the management and control plane,” the agencies warned.
See also: L3Harris manager sold 8 hacking tools made for US to Russian 0day broker
Cisco itself added:
All control connection peering events identified in Cisco Catalyst SD-WAN logs require manual validation to confirm their legitimacy, with a specific focus placed on vmanage peering types. Threat actors who compromise SD-WAN infrastructure often establish unauthorized peer connections that may appear superficially normal but occur at unexpected times, originate from unrecognized IP addresses, or involve device types inconsistent with the environment's architecture. A comprehensive review process is essential to distinguish between legitimate network operations and potential indicators of compromise.
NCSC’s CTO Ollie Whitehouse said: “Our new alert makes clear that organisations using Cisco Catalyst SD-WAN products should urgently investigate their exposure to network compromise and hunt for malicious activity, making use of the new threat hunting advice produced with our international partners to identify evidence of compromise. Critically, he added: "UK organisations are strongly advised to report compromises to the NCSC, and to apply vendor updates and hardening guidance as soon as practicable to reduce the risk of exploitation."
Among other post-exploitation techniques, the attackers were seen to use a built-in Cisco update mechanism to downgrade a vSmart controller [a name Cisco changed in 2023 to “controller”) to a version with the publicly known LPE bug cited above. They then restored it to the version it was running before – creating logs useful for Blue Teams/defenders and flagged in the “detections” section of the report. (The attacker was otherwise conscientious about defence evasion techniques and removed a wealth of forensic artifacts on the host.)
Organisations should patch up and threat hunt.
More detail to follow.
H/T to the Aussies for spotting this!
We keep our cybersecurity reporting free out of public interest. Get deeper access, support independent journalism, become a paid subscriber. £25/m or £250/y.