Cisco SD-WAN Is Actively Exploited by UAT-8616, Five Eyes Alliance Agencies Issue Warning
Published on February 26, 2026
Key Takeaways
- Critical Alert Issued: Intelligence agencies from the Five Eyes alliance have warned that advanced threat actors are actively exploiting vulnerabilities in Cisco SD-WAN systems.
- Targeted Vulnerabilities: The attacks focus on CVE-2026-20127 and CVE-2022-20775, allowing attackers tracked as UAT-8616 to elevate privileges and gain root access.
- Immediate Action Required: Organizations are urged to investigate potential compromise, as threat actors may have established long-term persistence in affected networks.
Cisco Catalyst Software Defined Wide Area Network (SD-WAN) solutions are actively exploited by a highly sophisticated cyber threat actor, as assessed in the latest Cisco Talos advisory. The Five Eyes intelligence alliance agencies and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued emergency directives due to significant network security risks.
CVE-2026-20127 and Exploitation Tactics
The advisory specifically flags CVE-2026-20127 and CVE-2022-20775 as the primary vectors for these attacks. This group, tracked by Cisco Talos as UAT-8616, leveraged carefully crafted requests to:
- bypass authentication,
- execute arbitrary commands,
- escalate privileges to root status on Cisco Catalyst SD-WAN Controllers.
UAT-8616's tactics include establishing unauthorized control connection peering events, introducing rogue peers into the network management plane, and performing software version downgrades to facilitate further exploitation, notably of CVE-2022-20775, before restoring the device to its original software state.
These actions effectively grant the actor persistent root-level access while minimizing detection.
Intelligence from the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) indicates that incidents involving UAT-8616 date back at least to 2023. Cisco Talos added that the actor has consistently targeted network edge devices to establish long-term footholds in high-value critical infrastructure environments.
Mitigating Network Security Risks
Successful exploitation of these Cisco SD-WAN vulnerabilities could particularly impact federal civilian executive branch networks and critical infrastructure organizations globally, CISA warned.
Mitigation steps are offered by the CISA advisory, the British National Cyber Security Centre (NCSC), and other allied agencies, which are urging organizations to immediately:
- Perform threat hunting for evidence of compromise, as detailed in the Hunt Guide, and continuous threat hunting activities.
- Collect artefacts from the device if you believe you have been compromised, and report it to the NCSC if you are in the U.K.
- Update to the appropriate fixed latest version of Cisco Catalyst SD-WAN Manager and Cisco Catalyst SD-WAN Controller as detailed in their respective advisories.
- Apply the Cisco Catalyst SD-WAN Hardening Guide.
Cisco has released additional recommendations specific to Cisco and software updates for Catalyst SD-WAN Manager and Catalyst SD-WAN Controller.
The Hunt Guide is released by the following authoring and co-sealing agencies:
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- Canadian Centre for Cyber Security (Cyber Centre)
- New Zealand National Cyber Security Centre (NCSC-NZ)
- United Kingdom National Cyber Security Centre (NCSC-UK)
- United States Cybersecurity and Infrastructure Security Agency (CISA)
- United States National Security Agency (NSA)
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular