Particle.news
Get it on Google Play
Download on the App Store
14 ARTICLES
·
5d ago

Cisco SD‑WAN Zero‑Day Spurs Emergency Directive as Exploitation Traced Back to 2023

Attackers gained administrative access by abusing broken peering checks on exposed controllers, driving urgent hunts for stealthy persistence.

Image
Cisco signage on side of building
Image
Image

Overview

  • Cisco disclosed CVE-2026-20127, a CVSS 10.0 authentication-bypass affecting Catalyst SD‑WAN Controller and Manager, enabling unauthenticated administrative access via crafted requests.
  • Cisco Talos and allied agencies say activity tied to cluster UAT-8616 has exploited the flaw since at least 2023, with attackers adding rogue peers to SD‑WAN control planes.
  • Investigators report privilege escalation to root via a software downgrade that enables exploitation of legacy CLI bug CVE-2022-20775, followed by restoring the original version to obscure traces.
  • CISA issued Emergency Directive 26-03 with near‑term deadlines to inventory affected systems, collect forensic artifacts, apply fixed releases, and hunt for compromise, and it added both CVEs to the KEV catalog.
  • Cisco released patched versions (including 20.12.6.1, 20.12.5.3, 20.15.4.2, 20.18.2.1 and 20.9.8.2) and says no full workarounds exist, while Five Eyes hunt guides urge checks for unauthorized peering events, unexpected SSH keys, log tampering, and potential need for fresh installs if root access is suspected.