Critical Advisory: Active Exploitation of CVE-2026-20127 in Cisco Catalyst SD-WAN
Date: February 26, 2026
Subject: Authentication Bypass and Chained Root Escalation (CVE-2026-20127 & CVE-2022-20775)
Threat Actor: UAT-8616
Overview
Active exploitation of CVE-2026-20127, a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controllers (formerly vManage). Intelligence indicates that threat actor UAT-8616 has been leveraging this flaw since at least 2023 to gain administrative access and establish persistent, high-privilege footholds within target environments.
The exploitation is particularly sophisticated, involving a "downgrade-to-root" strategy where attackers chain the new vulnerability with a legacy privilege escalation flaw (CVE-2022-20775) to achieve full system compromise while evading traditional detection.
Vulnerability Analysis & Relational Context
The attack sequence observed in the wild follows a specific, multi-stage lifecycle:
- Initial Access: Attackers exploit CVE-2026-20127 to bypass authentication and gain access to a non-root high-privilege account (e.g.,
vmanage-admin). - Configuration Manipulation: Once authenticated, the actor uses NETCONF manipulation and rogue peering to alter the SD-WAN fabric's configuration.
- Firmware Downgrade: To escalate privileges, the actor performs a deliberate firmware downgrade to a version known to be vulnerable to CVE-2022-20775.
- Root Escalation: By exploiting CVE-2022-20775 on the downgraded firmware, the actor attains root-level access to the underlying Linux operating system.
- Persistence & Evasion: The actor installs unauthorized SSH keys, creates backdated accounts, and modifies
PermitRootLoginsettings. Finally, they restore the firmware to the original version to obscure the exploitation artifacts and clear system logs/bash histories.
Targeted Sectors & Organizations
The actor UAT-8616 has demonstrated a preference for high-value targets, including:
- Government & Administrations: Specifically targeting Federal Civilian Executive Branch (FCEB) agencies.
- Heavy Industries: Critical infrastructure and manufacturing.
- Information & Communication: Telecommunications and technology providers.
- Geographies: Primarily the United States and the United Kingdom.
MITRE ATT&CK TTP Mapping
The following table maps the observed behaviors of UAT-8616 to the MITRE ATT&CK framework:
| Tactics | Technique ID | Technique Name | Details |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Exploitation of CVE-2026-20127 for auth bypass. |
| Persistence | T1098 | Account Manipulation | Creation of unauthorized accounts and installation of SSH keys. |
| Persistence | T1133 | External Remote Services | Maintenance of access via unauthorized SSH/NETCONF peering. |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | Use of CVE-2022-20775 to gain root access. |
| Defense Evasion | T1070 | Indicator Removal on Host | Clearing of logs, CLI histories, and firmware restoration. |
| Defense Evasion | T1495 | Firmware Modification | Deliberate firmware downgrade to re-introduce vulnerabilities. |
Indicators of Compromise (IOCs)
Security teams should monitor for the following high-fidelity indicators:
| Type | Indicator | Description |
|---|---|---|
| Log Event | Accepted publickey for vmanage-admin | SSH logins from unknown or unauthorized IP addresses. |
| Behavior | Unauthorized Peering | Unexpected control-connection peering events (rogue peers). |
| Artifact | authorized_keys | Unauthorized entries in the root or admin SSH key files. |
| Artifact | Firmware Versioning | Discrepancies in version history suggesting a downgrade/upgrade cycle. |
| Configuration | PermitRootLogin | Unauthorized changes to SSH configuration to allow root access. |
| Anomaly | Truncated Logs | Abnormally small or cleared system logs and bash_history files. |
Mitigation and Response
The vendor has announced fixes for maintained branches (with release 20.9.8.2 scheduled for late February 2026). However, several older branches (20.11, 20.13, 20.14, and 20.16) have reached end-of-maintenance and will not receive a patch.
Immediate Actions:
- Inventory & Isolate: Identify all internet-facing Catalyst SD-WAN Controllers and isolate management interfaces.
- Audit Peering: Validate all control-connection peering events against authorized maintenance windows and known public IPs.
- Off-Device Logging: Ensure all logs are forwarded to a remote Syslog/SIEM to prevent local log tampering.
- Patching: Apply vendor updates immediately. If the device belongs to an end-of-maintenance branch, migration to a supported release is mandatory.
- Root Recovery: If root compromise is confirmed (e.g., unauthorized SSH keys or
PermitRootLoginchanges), the system must be completely rebuilt.
Note: There are currently no full workarounds for CVE-2026-20127 other than upgrading to a patched software version.
Sources and Further Reading
The intelligence provided in this advisory is derived from the following authoritative threat intelligence and vulnerability records:
- Cisco Talos Intelligence: UAT-8616 Campaign Analysis: Exploiting Catalyst SD-WAN
- MITRE CVE Repository: