A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of malicious activity that dates back to 2023.
The vulnerability, tracked as CVE-2026-20127 (CVSS score: 10.0), allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected system by sending a crafted request to an affected system.
Successful exploitation of the flaw could allow the adversary to obtain elevated privileges on the system as an internal, high-privileged, non-root user account.
“This vulnerability exists because the peering authentication mechanism in an affected system is not working properly,” Cisco said in an advisory, adding the threat actor could leverage the non-root user account to access NETCONF and manipulate network configuration for the SD-WAN fabric.Â
The shortcoming affects the following deployment types, irrespective of the device configuration –
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud – Cisco Managed
- Cisco Hosted SD-WAN Cloud – FedRAMP Environment
Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The networking equipment major is tracking the exploitation and subsequent post-compromise activity under the moniker UAT-8616, describing the cluster as a “highly sophisticated cyber threat actor.”
The vulnerability has been addressed in the following versions of Cisco Catalyst SD-WAN –
- Prior to version 20.91 – Migrate to a fixed release.
- Version 20.9 – 20.9.8.2 (Estimated release February 27, 2026)
- Version 20.111 – 20.12.6.1
- Version 20.12.5 – 20.12.5.3
- Version 20.12.6 – 20.12.6.1
- Version 20.131 – 20.15.4.2
- Version 20.141 – 20.15.4.2
- Version 20.15 – 20.15.4.2
- Version 20.161 – 20.18.2.1
- Version 20.18 – 20.18.2.1
“Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise,” Cisco warned.
The company has also recommended customers to audit the “/var/log/auth.log” file for entries related to “Accepted publickey for vmanage-admin” from unknown or unauthorized IP addresses. It’s also advised to check the IP addresses in the auth.log log file against the configured System IPs that are listed in the Cisco Catalyst SD-WAN Manager web UI (WebUI > Devices > System IP).
According to information released by the ASD-ACSC, UAT-8616 is said to have compromised Cisco SD-WANs since 2023 via the zero-day exploit, allowing it to gain elevated access.
“The vulnerability allowed a malicious cyber actor to create a rogue peer joined to the network management plane, or control plane, of an organization’s SD-WAN,” ASD-ACSC said. “The rogue device appears as a new but temporary, actor-controlled SD-WAN…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
