Overview
- Cisco disclosed CVE-2026-20127, a CVSS 10 authentication bypass in Catalyst SD‑WAN Controller and Manager that lets attackers gain admin access and manipulate NETCONF.
- Cisco Talos attributes the campaign to UAT-8616, with evidence of active exploitation since at least 2023 and privilege escalation to root via software downgrades and CVE-2022-20775.
- CISA issued Emergency Directive 26-03 and added both CVEs to the KEV catalog, requiring agencies to inventory affected systems by February 26 and apply fixes by 5 p.m. ET on February 27.
- Five Eyes agencies released joint hunt and hardening guidance highlighting high-risk indicators such as unauthorized peering events, unexpected SSH keys, log tampering, and version downgrades.
- Cisco released fixed software for supported releases, warned there are no complete workarounds, urged isolation of management interfaces from the internet, and noted some confirmed compromises may warrant full rebuilds.