CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild

Introduction

CVE-2026-20127 is an improper authentication vulnerability impacting Cisco Catalyst SD-WAN Controller, formerly vSmart, and SD-WAN Manager, formerly vManage, components. The two solutions respectively serve as the centralized control plane and centralized management plane for software-defined wide area networks (SD-WANs). The vulnerability has a maximum Common Vulnerability Scoring System version 3.1 (CVSSv3.1) score of 10.0 due to low attack complexity, remote exploitation possibility, lack of user interaction and a high impact on confidentiality, availability and integrity.

Intel 471’s Vulnerability Intelligence team identified 2,675 exposed Cisco SD-WAN instances worldwide, but no publicly available proof of concept (PoC) or exploit was observed at the time of this report. We assess CVE-2026-20127 is more likely to be weaponized by sophisticated financially motivated and state-sponsored actors due to the unavailability of technical details about the vulnerability.

Cisco Talos disclosed the vulnerability is under active exploitation in the wild. This activity is consistent with the trend of targeting vulnerabilities in security network edge routing devices at the perimeter to gain initial access and establish persistence.

Overview

On Feb. 25, 2026, Cisco published a security advisory to address a critical improper authentication vulnerability tracked as CVE-2026-20127, which impacts the Catalyst SD-WAN Controller and Catalyst SD-WAN Manager products. Successful exploitation allows an attacker to log in as a highly privileged user with access to modify Network Configuration Protocol (NETCONF) configurations. With access to NETCONF, an attacker could add a rogue peer to the SD-WAN management plane or channel the CVE-2022-20775 path traversal vulnerability to escalate privileges on vulnerable instances. Cisco has observed exploitation of CVE-2026-20127 as a zero-day since 2023 and attributed observed initial exploitation and post-compromise activity to the UAT-8616 activity cluster. This cluster was assessed as highly sophisticated but limited information is available at the time of this report.

The same day the vulnerability was disclosed, security researchers at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) catalog and advised agencies to address the vulnerabilities in two days.

We observed 2,675 exposed Cisco SD-WAN instances as of Feb. 27, 2026.

Figure 1: The image depicts discovered internet-exposed instances of Cisco SD-WAN as of Feb.27, 2026.

Technical analysis of CVE-2022-20775

Following exploitation of CVE-2026-20127 to obtain initial access, adversaries exploited CVE-2022-20775 to escalate privileges via a path traversal bug that exists on the confd_cli_grp binary. Execution of this binary is controlled via the set user ID (SUID) permission, a special Unix file attribute that allows an executable to run with the file owner’s privileges rather than those of the invoking user. This mechanism is typically used when a program must perform administrative tasks requiring elevated privileges. However, it is also commonly abused by adversaries for privilege escalation.

The confd_cli_grp binary is used to establish a command-line interface (CLI) session with the confd service, a configuration management daemon responsible for enforcing authentication and access control on the device. During session initialization, user-related parameters such as the user ID (UID) and group ID (GID) are supplied and validated. These parameters, along with additional authentication metadata, are cryptographically protected using a secret key stored in the confd_ipc_secret file.

While creating the CLI session, confd_cli_grp reads a file whose path is constructed after the concatenation of a fixed directory path with a username variable value, as illustrated in the following pseudocode:

An adversary can manipulate the value of the username variable through environment variables, such as $USER, if the application relies on it without proper validation. For example, instead of a legitimate value such as “USER=admin,” the attacker may supply a crafted value containing directory traversal sequences, such as “USER=../../../../../tmp/foo.” Because the application constructs the file path through direct string concatenation without sanitizing the input, the filesystem interprets the traversal patterns “../” and causes it to escape the intended directory. As a result, the aforementioned function examines the following path:

If not properly sanitized, this allows a path traversal condition in which the binary reads files outside the intended directory. As the binary executes with elevated SUID privileges, this behavior may enable attackers to access or influence sensitive files, potentially leading to privilege escalation. This is the scenario proposed in the PoC code analyzed in this report and explained below:

• The security researchers modified the USER variable to “USER=/../../../../tmp/pwn.”
• They created a symbolic link pointing /tmp/pwn.external to capture the content of the confd_ipc_secret file.
• In possession of the secret key, the session parameters were forged to those of the root account, effectively leading to local privilege escalation (LPE).

Underground activity, attacker behavior

We observed a threat actor shared an open source article about the vulnerability; however, we assess this likely is a bot operating on a forum that regularly shares information about notable events and vulnerabilities of interest. We assess the lack of further discussion is due to the unavailability of technical details about the vulnerability. In conclusion, CVE-2026-20127 is more likely to be weaponized by sophisticated financially motivated and state-sponsored actors.

Observed post-exploitation activity

Cisco Talos and Australian Signals Directorate (ASD) investigators reported details of a successful intrusion the UAT-8616 cluster conducted.

• CVE-2026-20127 enabled adversaries to join a temporary rogue device to an organization’s SD-WAN network, which allowed them to interact with other devices in the SD-WAN management plane.
• Adversaries downgraded a compromised device with software versions vulnerable to CVE-2022-20775 to conduct LPE and obtain root access level. After adversaries escalated privileges, they reinstalled the original software version on the compromised device.
• After privilege escalation, adversaries included a secure shell protocol (SSH) authorized key to maintain root access.
• Adversaries deleted logs under the /var/log path and cleared operating system (OS) shell and SD-WAN shell user history.
• To evade defenses, adversaries also disabled a network interface used to send syslog messages to an external server.
• Adversaries leveraged SSH for lateral movement to other Cisco SD-WAN appliances.

The threat cluster UAT-8616’s observed initial and post exploitation activity includes:

Assessment

CVE-2026-20127 carries a maximum CVSSv3.1 score of 10.0, reflecting the vulnerability’s remote exploitability, absence of required authentication and lack of user interaction, collectively indicating a high and reliable potential for initial access. While underground activity remains low and no public exploit code or PoC was observed at the time of this report, these factors should not be interpreted as a reduced threat level as a highly sophisticated threat cluster leveraged this vulnerability for about three years to obtain initial access into high-value organizations, including entities operating with critical infrastructure.

The consequences of successful exploitation extend well beyond initial access. Observed intrusion demonstrates a deliberate and methodical post-exploitation chain. The actor escalated to root, established persistent access through local accounts and SSH keys and deleted any forensics artifacts generated in the various log files. We assess the likelihood of continued exploitation as medium to low given the absence of publicly available exploits and limited interest within the underground community at the time of this report.

For entities using vulnerable products, we recommend immediate prioritization for remediation with guidelines available in the “Mitigations, recommendations” and “Observed post-exploitation activity” sections of this report.

Mitigations, recommendations

Cisco released patches that addressed the vulnerabilities impacting SD-WAN. Intel 471 recommends the following steps to mitigate, prevent and detect exploitation of Cisco SD-WAN:

• Implement the Cisco Catalyst SD-WAN Hardening Guide (https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide), which presents a list of hardening measures, rules and best practices to make it harder for potential attackers to compromise SD-WAN instances.
• Monitor logs for arbitrary control connection peering events identified in Cisco SD-WAN logs as these could indicate an attempt at successful initial access. Example log sample:

• Monitor logs located at /var/log/auth.log for entries related to “Accepted public key for vmanage-admin” from unknown or unauthorized IP addresses, as these could indicate an unauthorized and successful SSH connection. Example log sample:

• Restrict access to ports 22 (SSH) and 830 (NETCONF) to authorized IP addresses.
• Investigate unexpected version changes or reboot events as they could be an indication of CVE-2022-20775 exploitation.
• Inspect and review authorized SSH keys and unknown users. Check for the existence of unknown SSH keys that allow for root access at /home/root/.ssh/authorized_keys.
• Check the USER environment variable for path traversal payloads such as “/../../../../../tmp/foo” as it could be an indication of CVE-2022-20775 exploitation.
• Review the ASD’s threat hunting guide for Cisco SD-WAN and examine the possible malicious log samples at.
• Monitor your environment using the “Observed post-exploitation activity” section of this report to detect potential compromise and post-exploitation tactics.

Intel 471’s Intelligence collates the most prevalent threats and vulnerabilities observed in the cyber underground, providing expert context and analytical assessment to help security teams prioritize the most significant vulnerabilities.