The Five Eyes intelligence alliance is urgently warning defenders to patch two Cisco Catalyst SD-WAN vulnerabilities used in attacks.
First discovered by the Australian Signals Directorate (ASD), all five of the alliance’s intelligence agencies co-signed the alert on Wednesday evening, confirming that hackers of unspecified origin are trying to use the SD-WAN devices for persistent access.
“Malicious cyber threat actors are targeting Cisco Catalyst SD-WAN used by organizations globally,” the UK’s NCSC said. “These actors are compromising SD-WANs to add a malicious rogue peer and then conduct a range of follow-on actions to achieve root access and maintain persistent access to the SD-WAN.”
The first of the two is CVE-2022-20775 (7.8), a path traversal vulnerability disclosed in September 2022 affecting the SD-WAN’s command line interface, allowing for privilege escalation.
The second is CVE-2026-20127 (10.0), a max-severity bug fresh off the press this week. Classed as an improper authentication flaw, the issue affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vSmart and SD-WAN vManage respectively.
The latter appears to be the biggie, not just because of the perfect 10 CVSS, but because successfully exploiting it grants hackers admin rights. Cisco said that cyberbaddies could also access NETCONF and reconfigure the SD-WAN fabric at their whim.
According to a separate report from Cisco Talos, the vendor attributed the attacks that use CVE-2026-20127 to a group it tracks as UAT-8616 and said current signals suggest it has been exploited since at least 2023.
Naturally, neither the intelligence agencies nor Cisco revealed precise details about the vulnerabilities that were reportedly exploited.
However, Talos’s report suggested that CVE-2026-20127 was exploited first to gain admin rights, before downgrading the SD-WAN’s software version using CVE-2022-20775 so that the attackers could gain root access.
Talos did not provide any details about who or what country might be behind UAT-8616, but described it as a “highly sophisticated cyber threat actor.”
An undisclosed number of attacks have already been carried out by exploiting the two vulnerabilities. Details about the victims remain sparse, although Talos suggested that targets were likely in high-value, sensitive sectors.
It stated: “UAT-8616’s attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high-value organizations, including critical infrastructure sectors.”
Defenders are strongly urged to follow the Five Eyes Hunt Guide [PDF] to first find signs of compromise. If that search is positive, share the data with the relevant security authorities and upgrade to the latest version of Cisco Catalyst SD-WAN Controller/Manager.
NCSC CTO Ollie Whitehouse said: “Our new alert makes clear that organizations using Cisco Catalyst SD-WAN products should urgently investigate their exposure to network compromise and hunt for malicious activity, making use of the new threat hunting advice produced with our international partners to identify evidence of compromise.
“UK organizations are strongly advised to report compromises to the NCSC, and to apply vendor updates and hardening guidance as soon as practicable to reduce the risk of exploitation.” ®