PoC Exploit Released Cisco SD-WAN 0-Day Vulnerability Exploited in the Wild

A public proof-of-concept (PoC) exploit has been released for CVE-2026-20127, a maximum-severity zero-day vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager that has been actively exploited in the wild since at least 2023.

Cisco Talos is tracking the threat activity under the cluster UAT-8616, describing it as a “highly sophisticated cyber threat actor” targeting critical infrastructure globally.

A PoC published on GitHub by zerozenxlabs includes a working Python exploit script and a JSP webshell (cmd.jsp).

It also contains a deployable WAR file, lowering the barrier for more threat actors to weaponize this critical flaw.

How the Attack Works

The vulnerability exists because the peering authentication mechanism in affected Cisco SD-WAN systems is broken.

An unauthenticated remote attacker sends a specially crafted HTTP request to the SD-WAN Controller’s REST API, completely bypassing the login process and gaining an administrative session without any valid credentials.

Once inside, UAT-8616 followed a multi-stage attack chain:

1. Initial access: Exploited CVE-2026-20127 to gain high-privileged, non-root admin access and added a rogue peer device to the SD-WAN management/control plane​.
2. Privilege escalation: Staged a deliberate software version downgrade to reintroduce the older CVE-2022-20775 flaw, escalating to full root access​.
3. Version restoration: Restored the system to its original software version to erase forensic evidence of the downgrade​.
4. Persistence: Added unauthorized SSH keys to /home/root/.ssh/authorized_keys, set PermitRootLogin yes in sshd_config, and modified SD-WAN startup scripts​.
5. Lateral movement: Used NETCONF (port 830) and SSH to pivot between SD-WAN appliances and manipulate the entire fabric configuration​.
6. Cover-up: Cleared syslog, bash_history, wtmp, lastlog, and logs under /var/log/​.

Cisco Talos urges administrators to immediately audit control connection peering events in SD-WAN logs for unauthorized vManage peer connections, unexpected source IPs, and anomalous timestamps.

Any log entries showing rogue peer additions, SSH key modifications, or version downgrade/upgrade cycles should be treated as high-fidelity indicators of compromise.

CISA has added CVE-2026-20127 to its Known Exploited Vulnerabilities (KEV) catalog and mandated urgent patching for federal agencies.

Organizations using Cisco Catalyst SD-WAN should apply patches immediately, review the security advisory, and follow the Australian Cyber Security Centre SD-WAN Threat Hunting Guide to check for compromise.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.