Five Eyes issues urgent warning over Cisco SD-WAN 0day exploitation

Updated 09:00 February 26 to include further Talos threat-hunting guidance, correct a typo [CVSS 10]

A critical CVSS 10 vulnerability allocated CVE-2026-20127 in Cisco Catalyst SD-WAN products has been exploited in the wild since 2023.

Five Eyes agencies today (February 25) issued an urgent alert over exploitation of multiple vulnerabilities in Cisco Catalyst SD-WAN products – calling for threat hunting and organisations to report exploitation to them.

The vulnerability above lets an unauthenticated, remote attacker bypass authentication and obtain admin privileges on an affected system. The attackers are chaining it with a previously reported EOP bug to get root.

Alarmingly, it affects all of the following:

• On-Prem Deployment
• Cisco Hosted SD-WAN Cloud
• Cisco Hosted SD-WAN Cloud - Cisco Managed
• Cisco Hosted SD-WAN Cloud - FedRAMP Environment

Organisations should perform threat hunting for evidence of compromise detailed in this Cisco SD-WAN Threat Hunt Guide – which is co-signed by the ACSC, NCSC, NSA, CISA, CCCS, and NCSC-NZ.

Strangely (?!), the guide itself doesn’t name CVE-2026-20127 itself. That’s despite Cisco acknowledging its exploitation today (February 25) in a security update and attributing disclosure to one of the guide’s signatories, the Australian Cyber Security Centre.

CISCO SD-WAN exploitation: Rogue peers

The agencies said “since 2023, at least one malicious cyber actor compromised Cisco SD-WANs via a previously unknown vulnerability, identified in late 2025 to be a zero-day exploit” that is now patched.

The Stack has contacted the NCSC to confirm it is referring to CVE-2026-20127.

The report also cites exploitation and provides IOCs for exploitation of CVE-2022-22775; a local privilege escalation (to root: gulp) bug in the same product that CISA added to its known-exploited catalogue today.

The actor used Network Configuration Protocol on port 830 (NETCONF) and SSH to connect to/between Cisco SD-WAN appliances within the management plane. The actor likely used the web interface of the SD-WAN manager to perform operations on the SD-WAN - Five Eyes.

Crucially, the zero day in question lets “a malicious cyber actor create a rogue peer joined to the network management plane, or control plane, of an organisations SD-WAN. The rogue device appears as a new but temporary, actor-controlled SD-WAN component that can conduct trusted actions within the management and control plane,” the agencies warned.

See also: L3Harris manager sold 8 hacking tools made for US to Russian 0day broker

Cisco itself added:

All control connection peering events identified in Cisco Catalyst SD-WAN logs require manual validation to confirm their legitimacy, with a specific focus placed on vmanage peering types. Threat actors who compromise SD-WAN infrastructure often establish unauthorized peer connections that may appear superficially normal but occur at unexpected times, originate from unrecognized IP addresses, or involve device types inconsistent with the environment's architecture. A comprehensive review process is essential to distinguish between legitimate network operations and potential indicators of compromise.

NCSC’s CTO Ollie Whitehouse said: “Our new alert makes clear that organisations using Cisco Catalyst SD-WAN products should urgently investigate their exposure to network compromise and hunt for malicious activity, making use of the new threat hunting advice produced with our international partners to identify evidence of compromise. Critically, he added: "UK organisations are strongly advised to report compromises to the NCSC, and to apply vendor updates and hardening guidance as soon as practicable to reduce the risk of exploitation." 

Among other post-exploitation techniques, the attackers were seen to use a built-in Cisco update mechanism to downgrade a vSmart controller [a name Cisco changed in 2023 to “controller”) to a version with the publicly known LPE bug cited above. They then restored it to the version it was running before – creating logs useful for Blue Teams/defenders and flagged in the “detections” section of the report. (The attacker was otherwise conscientious about defence evasion techniques and removed a wealth of forensic artifacts on the host.)

Organisations should patch up and threat hunt.

Cisco Talos has also now published a report.

Additional Investigative Guidance

Cisco Talos said the following may be high-fidelity indicators of a successful compromise in an SD-WAN infrastructure setup:

• Creation, usage and deletion of malicious user accounts including otherwise absent bash_history and cli-history.
• Interactive root sessions on production systems including unaccounted SSH keys, known hosts and bash history. For example:
  • Notification: system-login-change severity-level:minor host-name:"<node_name>" system-ip:<IP> user-name:""root""
  • SSH Keys in: /home/root/.ssh/authorized_keys with “PermitRootLogin” set to “yes” in /etc/ssh/sshd_config
  • Known hosts in: /home/root/.ssh/known_hosts
• Unauthorized or unaccounted SSH keys (“authorized_keys”) for the “vmanage-admin” account: /home/vmanage-admin/.ssh/authorized_keys/
• Abnormally small logs including absent or size 0/1/2 byte logs.
• Evidence of log and history clearing or truncation including:
  • syslog
  • wtmp
  • lastlog
  • cli-history
  • bash_history
  • Logs residing in /var/log/
• Presence of cli-history file for a user without the bash history.
• Indications of unexplained peers being dropped or added to the environment.
• Unexpected and unauthorized version downgrades and upgrades accompanied by a system reboot. For example (log entries):
  • Waiting for upgrade confirmation from user. Device will revert to previous software version <version> in '100' seconds unless confirmed.
  • Software upgrade not confirmed. Reverting to previous software version
• Five Eyes report here.
• Cisco advisory here.
• Talos guidance here.

H/T to the Aussies for spotting this!