Cisco has disclosed a maximum-severity zero-day vulnerability affecting its core network software, which threat actors have been exploiting since 2023. The US cyber authority CISA issued an emergency directive, urging agencies to secure their systems and report any unusual activity.
Unauthenticated remote attackers can bypass authentication and obtain administrative privileges on a corporate network’s virtual control rooms.
The maximum severity vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager (formerly known as SD-WAN vSmart and SD-WAN vManage, respectively).
The urgent Cisco security advisory assigns the highest possible severity score of 10 out of 10.
The affected software is a core part of geographically distributed office locations, managing edge devices, including routers and firewalls.
Threat actors exploit this flaw by sending crafted requests to an affected system. Successful attacks allow the intruder to log in as an internal, high-privileged, but non-root user account.
Using this account, the attacker could access the network’s configuration (NETCONF) system and “manipulate network configuration for the SD-WAN fabric” – rearranging how traffic flows across the corporate network by redirecting, blocking, or intercepting.
The vulnerability affects the following deployment types:
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud - Cisco Managed
- Cisco Hosted SD-WAN Cloud - FedRAMP Environment
The exploitation has already been confirmed in the wild.
“Malicious activity likely began in 2023, and organizations should scope hunting efforts accordingly,” the US Cybersecurity and Infrastructure Security Agency (CISA) said.
Cisco has released software updates that address this vulnerability, labeled CVE-2026-20127, and warns that there are no other workarounds to address it.
“This vulnerability exists because the peering authentication mechanism in an affected system is not working properly,” Cisco said.
No public proof-of-concept (PoC) exploit had been identified yet, but once it’s released, additional attackers are likely to conduct mass scanning and exploitation against vulnerable devices, Tenable warned.
CISA urges agencies to take immediate action
The US cyber watchdog CISA released an emergency directive, noting that the observed exploitation activities are linked to several Cisco vulnerabilities, including the previously unknown CVE-2026-20127, an older bug CVE-2022-20775, and others.
The cyberattacks necessitate “immediate action to mitigate privilege escalation, root access, and persistent threats to SD-WAN networks,” CISA said.
The agency confirms that the zero-day allows remote hackers to gain access and administrative privileges to an organization’s SD-WAN network management plane or control plane.
“The threat actor-controlled rogue device appears as a new, temporary, and legitimate SD-WAN component. The rogue device can then conduct trusted actions within the management and control planes, allowing for privilege escalation and persistence,” CISA explains.
Security experts observed hackers moving laterally outside the SD_Wan environment, applying defense evasion techniques, such as removing forensic artifacts on the compromised host. The hackers cleared logs, command history, network connection history, configurations, and took other steps to prevent log forwarding.
CISA’s order obliges federal agencies to hunt for evidence of compromise.
“Organizations that identify root account compromises must deploy fresh vManage, vSmart, and vBond from patched OVA or QCOW2 images, migrating edges to the new infrastructure, with new administrator accounts with unique credentials,” CISA said.
“CISA encourages all organizations to report findings to CISA, especially if new malicious activity or detection methods are observed.”
The directive also directs agencies to implement hardening guidance. It includes reporting all Cisco SD-WAN systems within networks, ensuring external log and artifact collection by 11:59 PM ET on February 26th, 2026. Organizations must immediately report detected root account compromise.
Applying Cisco-provided updates on all the identified vulnerabilities must be completed by 5:00 PM ET on February 27th, 2026.
Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre for reporting this vulnerability.
The tech giant urges upgrading the affected systems to a fixed software release. Cisco’s advisory also includes hardening recommendations such as restricting system access to only known hosts or blocking it altogether, protecting Cisco Catalyst SD-WAN Control Components behind a firewall, and filtering traffic to and from the systems.
Cisco also recommends disabling HTTP, any unused network services, upgrading systems, changing default administrator passwords, using SSL/TLS encryption, and regularly monitoring web log traffic, among other things.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked