Full Report
Updated at the time? No sweat. Check those logs, though
Analysis Summary
# Vulnerability: Cisco Catalyst SD-WAN Improper Authentication and Root Escalation
## CVE Details
- **CVE ID:** CVE-2026-20127 (Primary), CVE-2022-20775 (Secondary escalation)
- **CVSS Score:** 10.0 (Critical)
- **CWE:** Improper Authentication (CWE-287)
## Affected Systems
- **Products:** Cisco Catalyst SD-WAN (formerly Viptela)
- **Versions:** All versions prior to the February 2026 fix.
- **Affected Components:**
- Cisco Catalyst SD-WAN Manager
- Cisco Catalyst SD-WAN Controller
- Cisco Catalyst SD-WAN Validator (formerly vBond) — *Recently added to advisory*
## Vulnerability Description
CVE-2026-20127 is a critical improper authentication flaw within the Cisco Catalyst SD-WAN fabric. An attacker can exploit this vulnerability to gain unauthorized administrative access to the SD-WAN orchestration plane. Once administrative access is achieved via NETCONF, attackers can reconfigure the SD-WAN fabric.
Furthermore, this flaw is frequently chained with **CVE-2022-20775** (a path traversal vulnerability) to bypass restricted shells and gain persistent **root access** to the underlying operating system of the affected appliance.
## Exploitation
- **Status:** Exploited in the wild. Attributed to threat actor **UAT-8616**.
- **Complexity:** Low (Targeting improper authentication).
- **Attack Vector:** Network.
- **PoC Availability:** Internal/Threat actor PoCs exist; high likelihood of private exploit tooling.
## Impact
- **Confidentiality:** Total (Full access to network configurations and traffic data).
- **Integrity:** Total (Ability to reconfigure SD-WAN fabric and modify system files).
- **Availability:** Total (Persistent root access allows for complete device shutdown or bricking).
## Remediation
### Patches
Cisco released fixed software versions in February 2026. Organizations must ensure that **all** components of the SD-WAN fabric (Manager, Controller, and Validator) are running the latest patched releases.
- *Note:* If you updated Manager and Controller but neglected the Validator (vBond), the environment remains at risk.
### Workarounds
- No specific software workarounds are provided; immediate patching is required.
- **Hardening:** Implement strict Access Control Lists (ACLs) to limit access to management interfaces (NETCONF) to trusted administrative IP addresses only.
## Detection
- **Indicators of Compromise:** Look for unauthorized administrative logins or modifications via NETCONF.
- **Log Analysis:** Audit system logs for evidence of path traversal attempts (related to CVE-2022-20775) or unusual root-level activity.
- **Threat Hunting:** Follow guidance provided by Cisco Talos and the NCSC-UK to identify "UAT-8616" activity, which may have been present in environments for up to three years.
## References
- Cisco Security Advisory: hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
- Cisco Talos Blog: hxxps[://]talosintelligence[.]com/ (Search for UAT-8616)
- NCSC-UK Alert: hxxps[://]www[.]ncsc[.]gov[.]uk/