CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released specific software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026. Attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775, and have taken steps to clear evidence of the intrusion by purging logs and command history. Additionally, Cisco has flagged two more Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) as actively exploited in the wild, urging administrators to upgrade vulnerable devices. CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature, allowing an authenticated, local attacker to gain DCA user privileges. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API, allowing a remote, authenticated attacker to overwrite arbitrary files and gain elevated privileges. Cisco Talos has linked the attacks exploiting CVE-2026-20127 to UAT-8616, a highly sophisticated threat actor active since at least 2023. Cisco has also released updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: CVE-2026-20079 and CVE-2026-20131.

Timeline

  1. 05.03.2026 12:32 3 articles · 1d ago

    Cisco flags additional SD-WAN flaws as actively exploited

    Cisco has confirmed that two additional Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) are being actively exploited in the wild. CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature, allowing an authenticated, local attacker to gain DCA user privileges on the targeted system. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API, allowing a remote, authenticated attacker to overwrite arbitrary files on the system and gain elevated privileges. Cisco PSIRT became aware of active exploitation of these vulnerabilities in March 2026. Patches for these vulnerabilities, along with CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133, were released by Cisco in versions 20.9.8.2, 20.12.6.1, 20.12.5.3, 20.15.4.2, and 20.18.2.1.

    Show sources
    Open in new tab
  2. 25.02.2026 20:01 3 articles · 8d ago

    Critical Cisco SD-WAN Bug Exploited in Zero-Day Attacks Since 2023

    The article provides additional details on the exploitation of CVE-2026-20127, including specific software updates released by Cisco, the use of CVE-2022-20775 for privilege escalation, and the steps taken by attackers to clear evidence of the intrusion by purging logs and command history. It also reveals that two new vulnerabilities, CVE-2026-20128 and CVE-2026-20122, are actively exploited in the wild.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Cisco SD-WAN Zero-Day Exploited by Highly Sophisticated Threat Actor

A critical zero-day vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controller and Manager is being actively exploited by a sophisticated threat actor, tracked as UAT-8616. The flaw allows unauthenticated remote attackers to bypass authentication and gain administrative privileges. The exploitation dates back to 2023, and Cisco has credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The vulnerability has a CVSS score of 10.0, indicating maximum severity. Cisco is actively tracking the exploitation and post-compromise activities associated with this flaw. The threat actor is described as highly sophisticated, and the exploitation has been ongoing for some time.

Open in new tab

Cisco Unified Communications RCE Zero-Day Exploited in Attacks

Cisco has patched a critical remote code execution vulnerability (CVE-2026-20045) in its Unified Communications and Webex Calling products, which has been actively exploited in attacks. The flaw, with a CVSS score of 8.2, allows attackers to gain user-level access and escalate privileges to root on affected systems. Cisco has released patches for various versions of the impacted products and urged customers to update immediately. The U.S. CISA has added the vulnerability to its KEV Catalog, requiring federal agencies to patch by February 11, 2026.

Open in new tab

Critical RCE Flaw in Trend Micro Apex Central On-Prem Windows

Trend Micro has addressed critical vulnerabilities in on-premise Windows versions of Apex Central, including a remote code execution (RCE) flaw (CVE-2025-69258) with a CVSS score of 9.8. The flaw allows unauthenticated remote attackers to execute arbitrary code under SYSTEM context. Two additional flaws (CVE-2025-69259, CVE-2025-69260) with CVSS scores of 7.5 each can cause denial-of-service conditions. The vulnerabilities affect versions below Build 7190 and require physical or remote access to exploit. Apex Central is a web-based management console that helps admins manage multiple Trend Micro products and services, including antivirus, content security, and threat detection. Trend Micro has released Critical Patch Build 7190 to address these vulnerabilities.

Open in new tab

Exploitation of Network Security Flaws by APT Actors

Multiple network security products, including those from Fortinet, SonicWall, Cisco, and WatchGuard, have been targeted by threat actors exploiting critical vulnerabilities. Cisco's AsyncOS flaw (CVE-2025-20393) is being exploited by a China-nexus APT group, UAT-9686, to deliver malware such as ReverseSSH and AquaPurge. SonicWall's SMA 100 series appliances are also being targeted through a combination of vulnerabilities to achieve unauthenticated remote code execution. These attacks highlight the increasing focus on network security products as entry points for deeper network infiltration.

Open in new tab

Active Exploitation of Critical WatchGuard Fireware OS VPN Vulnerability (CVE-2025-14733)

WatchGuard has released patches for a critical out-of-bounds write vulnerability (CVE-2025-14733, CVSS 9.3) in Fireware OS, which is being actively exploited in the wild. The flaw affects the iked process and could allow remote unauthenticated attackers to execute arbitrary code. The vulnerability impacts various versions of Fireware OS, including 2025.1, 12.x, 12.5.x, and 12.3.1, while versions 11.x are end-of-life. WatchGuard has observed active exploitation attempts from several IP addresses, some of which are linked to recent Fortinet vulnerabilities. The company has provided indicators of compromise (IoCs) and temporary mitigation steps for affected devices.

Open in new tab