Cisco Catalyst SD-WAN Flaw Is Now Fcing Widespread Exploitation
Published
Key Takeaways
- CVE-2026-20127: A recently disclosed Cisco Catalyst SD-WAN vulnerability is now being widely exploited, following its initial use in targeted zero-day attacks.
- Global Attacks: Threat actors are actively deploying webshells on compromised systems, with a significant spike in global activity, particularly in the U.S.
- Threat Actors: The flaw was first used by UAT-8616, but has since been adopted by numerous other attackers, escalating network security risks.
A critical vulnerability in Cisco Catalyst SD-WAN solutions, identified as CVE-2026-20127, is now being widely exploited. Security researchers report a significant escalation from targeted attacks to broad, opportunistic campaigns. Initially leveraged as a zero-day by a highly sophisticated threat actor tracked as UAT-8616, the flaw has now been weaponized by a larger pool of malicious actors.
This development dramatically increases the attack surface and poses severe network security risks for organizations running unpatched versions of the software.
From Zero-Day to Widespread Threat
The initial zero-day exploitation of CVE-2026-20127 (CVSS score: 10.0) involved chaining it with an older vulnerability (CVE-2022-20775) to bypass authentication, escalate privileges, and achieve persistence.
However, threat intelligence from firms like WatchTowr indicates that the activity is no longer limited to a single group. “This is no longer targeted activity that was described previously, but now internet-wide and growing,” said the WatchTowr head of proactive threat intelligence, Ryan Dewhurst.
Analysis shows exploitation attempts originating from numerous unique IP addresses, with threat actors successfully deploying webshells on compromised devices. A major spike in this activity occurred around March 4, and any exposed system should be considered compromised until verified.
Escalating Cybersecurity Threats to Cisco Infrastructure
The widespread exploitation of the Cisco Catalyst SD-WAN vulnerability underscores the rapid lifecycle of modern flaws, from discovery to mass exploitation. Organizations are strongly urged to apply all relevant security patches immediately and conduct thorough compromise assessments.
In late February, Five Eyes Alliance agencies issued a warning on Cisco SD-WAN being actively exploited by UAT-8616. Cisco has since updated its advisories to include two additional Catalyst SD-WAN vulnerabilities (CVE-2026-20128 and CVE-2026-20122) being exploited in the wild for privilege escalation.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular