Cisco Talos is reporting on the active exploitation of CVE-2026-20127, a critical vulnerability in Cisco Catalyst SD-WAN Controllers that allows unauthenticated remote attackers to bypass authentication and gain administrative privileges. The activity is attributed to a highly sophisticated threat actor identified as UAT-8616, whose operations have been traced back to at least 2023. The actor targets network edge devices to establish persistent footholds, particularly within critical infrastructure sectors.
Technical analysis reveals that UAT-8616 achieves root access by performing unauthorized software version downgrades to exploit older vulnerabilities, such as CVE-2022-20775. Security teams are advised to monitor for unauthorized control connection peering events, suspicious SSH key modifications, and signs of log truncation. Cisco has released specific Snort signatures and hardening guidelines to mitigate this threat and secure SD-WAN environments.
Top comments (0)