PoC exploit surfaces for Cisco SD-WAN zero-day CVE-2026-20127 as agencies warn of active attacks

A public proof-of-concept exploit now circulates for CVE-2026-20127, a critical authentication bypass in Cisco Catalyst SD-WAN Controller and SD-WAN Manager. Cisco Talos says attackers have exploited the flaw in the wild and that the activity likely goes back at least three years, to 2023.

Talos tracks the cluster as UAT-8616 and describes it as a highly sophisticated actor that targets high-value organizations, including critical infrastructure sectors. The exploitation can let an unauthenticated remote attacker bypass authentication and gain an administrative session as a high-privileged, non-root internal account.

CISA has also added CVE-2026-20127 to its Known Exploited Vulnerabilities catalog, which signals confirmed exploitation and triggers urgent remediation expectations across U.S. federal environments.

The joint government advisory describes a pattern where threat actors exploit CVE-2026-20127, add a rogue peer to the SD-WAN environment, and then work toward root access to establish long-term persistence.

Talos reports that investigators saw evidence of privilege escalation that involved downgrading software to reintroduce an older vulnerability (CVE-2022-20775), then restoring the original version afterward. That sequence can reduce obvious signs of tampering if defenders rely on a narrow set of logs.

Researchers also warn that public PoCs tend to raise operational risk quickly. More actors can test and weaponize the issue, especially against exposed management and control-plane components.

If you run Cisco Catalyst SD-WAN, treat this as an emergency patch and hunt event. Talos recommends immediate validation of control connection peering events and close review for unauthorized peer connections that appear at odd times or from unfamiliar IP addresses.

What CVE-2026-20127 enables

High-signal behaviors to hunt for

• Control-plane peering events you cannot explain, especially new peer relationships that do not match your documented topology.
• Peering events that originate from unfamiliar public IP addresses or occur outside normal change windows.
• Unexpected downgrade and upgrade cycles that coincide with reboots or operational anomalies.
• Signs of persistence changes tied to SSH access, including newly added SSH keys and changes that enable or expand root login.

Immediate mitigation checklist

• Patch to a fixed Cisco software release as fast as possible and verify you patched every relevant SD-WAN component, not only one node.
• Review perimeter controls and restrict exposure of management interfaces to trusted admin networks only.
• Centralize logging off-device to reduce the impact of local log tampering.
• Audit control connection peering events and validate each event against known maintenance windows and approved IP ranges.
• Run a focused compromise assessment using the joint guidance published by government partners and Cisco Talos.

FAQ