Cisco has issued a security advisory warning that a critical authentication bypass vulnerability in its Catalyst SD-WAN platform is being actively exploited in zero-day attacks.
The flaw, tracked as CVE-2026-20127, impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in both on-premises and SD-WAN Cloud deployments.
The vulnerability stems from an error in authentication mechanism. A remote non-authenticated attacker could use the flaw to bypass authentication process and access NETCONF, which would then allow to manipulate network configuration for the SD-WAN fabric.
Cisco Catalyst SD-WAN is a networking solution used to connect branch offices, data centers, and cloud environments through centralized management and encrypted communications. By compromising controllers, attackers could add malicious rogue peers to targeted networks, potentially gaining persistent access and control over network traffic.
In a separate advisory, Cisco’s threat hunting team said that the flaw has been exploited in the wild since at least 2023. The activity is being tracked under the cluster name “UAT-8616.” Talos assesses with high confidence that the campaign was conducted by a highly sophisticated threat actor.
Telemetry indicates exploitation dating back to at least 2023. Intelligence partners reported that attackers likely escalated privileges to root by downgrading devices to an older software version and exploiting an improper access issue (CVE-2022-20775), before restoring the original firmware version.
Cybersecurity agencies from the Five Eyes intelligence alliance have also issued security advisories warning of real-world exploitation of both CVE-2026-20127 and CVE-2022-20775, urging organizations to apply patches and review systems for signs of unauthorized access.