For three years, a critical flaw sat inside Cisco’s Catalyst SD-WAN products unnoticed.Hackers found it first.Cisco confirmed that attackers exploited the bug, tracked as CVE-2026-20127, to bypass authentication, gain privileged access, and quietly steal data.
The discovery prompted a rare joint warning from authorities in the US, UK, Australia, Canada, and New Zealand.Worse, intruders chained the flaw with an older vulnerability to escalate to root access, create persistent accounts, and cover their tracks.No group has claimed responsibility, but investigators say the activity points to a single, unidentified actor now labeled UAT-8616.
Technical details of the incident The vulnerability tagged CVE-2026-20127 has a critical base score of 10.0 and an impact score of 6.0, demanding prompt action.Successfully exploiting the vulnerability allows attackers to steal data and, with ease, launch other cyberattacks.According to a Talos report, attackers exploited a bug in Catalyst SD-WAN products to remotely bypass authentication.
To obtain administrative privileges, attackers would send malicious requests to the buggy system.By doing this, the attacker can elevate to an internal, highly privileged, non-root account, the report noted.Initial access did not grant root access.
However, a third-party intelligence investigation by the Australian government revealed that attackers could later gain root access.They did this via the built-in update mechanism.The update mechanism allowed them to downgrade the controller to a version that could exploit another vulnerability: CVE-2022-20775.
CVE-2022-20775, present in the downgraded controller, grants root access to local, authenticated non-root users.After gaining root access, the attacker created local accounts that mimicked legitimate accounts and re-exploited CVE-2026-20127, thereby gaining persistent access.After gaining persistent access, the attacker restored the controller to its previous version.
The Australian government’s cyber report also noted that no signs of command and control were detected, nor were there any signs of lateral movement outside the Catalyst SD-WAN environment.However, signs of defence evasion were spotted as the attacker frequently cleared logs, shell commands, and network connection history.Must-read security coverage UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case Blackpoint Cyber vs.
Arctic Wolf: Which MDR Solution is Right for You? How GitHub Is Securing the Software Supply Chain 8 Best Enterprise Password Managers Who is behind the attack? So far, no group has claimed responsibility, and researchers have been unable to attribute the incident to a specific threat group.However, certain activities observed in the investigation exhibited similar patterns, indicating a single source.But since that activity can’t be definitely attributed to any threat actor group at the moment, it has been named UAT-8616.
How organizations should respond According to several reports from Cisco and the authorities involved, the first step for organizations using the Catalyst SD-WAN is to review the controller’s system logs.The system logs, as noted in the Australian government’s cyber report, must be forwarded off the appliance to avoid it being cleared by the attacker.Organizations are also advised to move their controllers behind a firewall with robust IP blocking.
For detection and mitigation, organizations should consult reports from Cisco Talos, the NSA Joint Cybersecurity Advisory, and the Australian government.Organizations located in the UK, Canada, and New Zealand should also review special publications from their respective governments.Also read: A new report reveals Android mental health apps amassed 14.7 million installs while putting sensitive user data at risk.
Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered every Monday, Tuesday and Thursday Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered every Monday, Tuesday and Thursday
Read More
