CISA added two critical Cisco Catalyst SD-WAN vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on February 25, 2026, triggering Emergency Directive 26-03 for federal agencies.These flaws pose severe risks to network management in enterprise and critical infrastructure environments. Immediate patching is essential amid confirmed active exploitation.
Vulnerability Breakdown
The KEV update spotlights flaws in Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage), core components for secure WAN orchestration.
- CVE-2026-20127: A CVSS 10.0 authentication bypass allows unauthenticated attackers to send crafted peering requests, gaining admin access via NETCONF for config manipulation.
- CVE-2022-20775: Path traversal vulnerability enables privilege escalation to root, often chained post-auth bypass after downgrading vulnerable software.
Cisco Talos tracks attackers as UAT-8616, exploiting CVE-2026-20127 since 2023 to add rogue peers, alter configurations, and erase logs.
Attack Tactics and Impact
Adversaries exploit the auth bypass for unauthorized control-plane access, then leverage path traversal for persistence. Targets favor SD-WAN setups bridging branches to cloud services in sectors like energy and finance. Australian CERTs tipped off Cisco about the zero-day.
Common post-exploit signs include rogue SSH keys and wiped audit trails, enabling stealthy network pivots.
Detection Methods
Monitor for these indicators across SD-WAN managers:
- Unauthorized peers or SSH entries
- Suspicious config drifts, log deletions, or traversal patterns
- Anomalous control-plane traffic or new admin accounts.
Enable detailed logging and integrate with SIEM for real-time anomaly detection.
Patch and Mitigation Playbook
Prioritize these steps per Cisco advisories:
- Inventory all SD-WAN assets and verify versions against fixed releases.
- Apply patches immediately; isolate manager interfaces to trusted IPs.
- Rotate credentials, hunt for IOCs, and harden with least-privilege access.
Broader Implications
This KEV addition underscores SD-WAN’s rising attack surface as hybrid networks expand. Organizations should audit patch cycles against CISA KEV and align with NIST frameworks for vulnerability management. With exploitation dating back years, proactive threat hunting remains key to staying ahead of UAT-8616 and similar actors.
