Critical Cisco SD-WAN Bug Exploited in Zero-Day Attacks π¨
Critical Cisco SD-WAN Bug Exploited in Zero-Day Attacks π¨
Cisco is warning about a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127. This vulnerability has been actively exploited in zero-day attacks, allowing remote attackers to compromise controllers and add malicious rogue peers to targeted networks.
Details of the Vulnerability
This vulnerability exists because the peering authentication mechanism in an affected system is not functioning properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, enabling them to manipulate network configuration for the SD-WAN fabric.
Timeline of Exploitation
Talos reports that its telemetry shows exploitation dates back to at least 2023. Intelligence partners suggest that the threat actor likely escalated to root by downgrading to an older software version, exploiting CVE-2022-20775 to gain root access, and then restoring the original firmware version.
Recommendations
Cisco and Talos urge organizations to carefully review logs on any internet-exposed Catalyst SD-WAN Controller systems for signs of unauthorized peering events and suspicious authentication activity. Admins should also look for unusually small or missing log files, which may indicate log tampering, and for software downgrades and reboots, which may indicate exploitation of CVE-2022-20775 to gain root privileges.
For more detailed information, check out the full article: Read full article