Five Eyes warn teams to patch Cisco Catalyst SD-WAN controllers

The intelligence agencies for the nations that make up the Five Eyes alliance (Australia, Canada, New Zealand, UK and the U.S.) on Feb. 25 issued an urgent warning to organizations that “a highly sophisticated” threat actor has exploited flaws in Cisco SD-WAN equipment and that teams need to patch right away.

In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive that the exploited SD-WAN equipment posed an imminent threat to federal agencies.

As part of its advisory and patching guidance, Cisco Talos also reported Feb. 25 that it was tracking the active exploitation of CVE-2026-20127, a previously unknown 10.0 flaw in the Cisco Catalyst SD-WAN controller that lets an unauthenticated remote attack bypass authentication and obtain administrative privileges on the affected system.

The threat actor, which Cisco Talos tracks as UAT-8616, developed the zero-day for Cisco’s peering authentication, then chained it with a four-year-old privilege escalation vulnerability — CVE-2022-20775 — and used the device’s own upgrade tool to erase evidence of compromise.

“They found and exploited a zero-day in how the SD-WAN control plane authenticates trusted peers, which requires deep protocol-level knowledge of how Cisco's fabric operates,” said Michael Bell, co-founder and CEO at Suzu Labs. “Then they inserted rogue devices that the network accepted as legitimate controllers, escalated to root by downgrading firmware to a version with a known exploit and restoring the original afterward to cover the tracks, and systematically destroyed logs and forensic artifacts. Three years of persistent access to critical infrastructure control planes without triggering a single alert takes resources, discipline, and a mission that doesn't involve cashing out.”

Heath Renfrow, co-founder and chief information security officer at Fenix24, explained that this attack on Cisco SD-WAN gear was serious because SD-WAN collapses routing, encryption, segmentation, and policy into a single management plane by design.

“That centralization is the product's value and the attacker's value,” said Renfrow. “Compromise one controller, and you can push policy changes to every branch. Edge devices run custom operating systems with no endpoint detection agent. They generate their own logs, which the attacker deletes. They sit outside the security stack that was built to detect workstation compromise. The attacker gets maximum blast radius from a single entry point, and the defender's entire detection architecture is pointed at the wrong layer.”

Old gear, yes, but not decades-old equipment

In explaining some of the background, Collin Hogue-Spears, senior director of solution management at Black Duck, pointed out that Cisco acquired the Viptela SD-WAN platform in 2017 for $610 million. Hogue-Spears said enterprise deployments of this SD-WAN gear range from seven- to nine-years-old, with many organizations running software versions three-to-five years behind current maintenance.

“This is not legacy equipment in the way people picture 30-year-old core routers running in a closet,” said Hogue-Spears. “These are modern SD-WAN controllers deployed within the last decade, often virtualized, often running in cloud environments.”

Fenix24’s Renfrow said it’s extremely important to note that the Cisco Catalyst gear is not old equipment.

“SD-WAN became mainstream in the mid-2010s as organizations shifted from MPLS to hybrid cloud connectivity,” said Renfrow. “Many deployments are three- to eight-years-old and actively managed.”

Renfrow added that the danger here is not just exploitation — it’s silent manipulation. An attacker with SD-WAN control can do the following:

"This is a 'control-plane compromise,' not a data theft incident," said Renfrow.