Cisco SD-WAN Vulnerability Exploited by Hackers

Cisco SD-WAN Vulnerability Exploited by Hackers

Cisco SD-WAN Vulnerability Exploited by Hackers

A critical flaw in Cisco’s Catalyst SD-WAN products has been exploited by hackers, allowing them to bypass authentication and gain privileged access. The vulnerability, tracked as CVE-2026-20127, has a critical base score of 10.0 and an impact score of 6.0.

Technical Details of the Incident

According to a Talos report, attackers exploited the bug to remotely bypass authentication and send malicious requests to the buggy system. This allowed them to elevate to an internal, highly privileged, non-root account.

However, initial access did not grant root access. A third-party intelligence investigation by the Australian government revealed that attackers could later gain root access via the built-in update mechanism. This allowed them to downgrade the controller to a version that could exploit another vulnerability: CVE-2022-20775.

Who is Behind the Attack?

So far, no group has claimed responsibility, and researchers have been unable to attribute the incident to a specific threat group. However, certain activities observed in the investigation exhibited similar patterns, indicating a single source. This has been named UAT-8616.

How Organizations Should Respond

Organizations using the Catalyst SD-WAN should review the controller’s system logs and move their controllers behind a firewall with robust IP blocking. They should also consult reports from Cisco Talos, the NSA Joint Cybersecurity Advisory, and the Australian government for detection and mitigation.

Additionally, organizations can take the following steps:

  • Forward system logs off the appliance to avoid them being cleared by the attacker
  • Consult special publications from their respective governments for guidance
  • Keep their systems and software up to date with the latest security patches

By taking these steps, organizations can help protect themselves from this vulnerability and reduce the risk of a successful attack.

Conclusion

The exploitation of the Cisco SD-WAN vulnerability is a serious incident that highlights the importance of cybersecurity. Organizations must take immediate action to protect themselves from this vulnerability and stay vigilant against future threats.

For more information on cybersecurity and how to protect your organization, subscribe to our newsletter and stay up to date with the latest news and best practices.

Frequently Asked Questions

  1. What is the Cisco SD-WAN vulnerability? The Cisco SD-WAN vulnerability is a critical flaw in Cisco’s Catalyst SD-WAN products that allows hackers to bypass authentication and gain privileged access.
  2. How can organizations protect themselves from this vulnerability? Organizations can protect themselves by reviewing their controller’s system logs, moving their controllers behind a firewall with robust IP blocking, and consulting reports from Cisco Talos and the Australian government.
  3. What is the impact of this vulnerability? The impact of this vulnerability is critical, with a base score of 10.0 and an impact score of 6.0. It allows hackers to steal data and launch other cyberattacks.
  4. Who is behind the attack? The attack is attributed to a single, unidentified actor labeled UAT-8616.
  5. What can organizations do to stay safe? Organizations can stay safe by keeping their systems and software up to date with the latest security patches, forwarding system logs off the appliance, and consulting special publications from their respective governments for guidance.