Full Report
The global campaign marks the second series of multiple actively exploited zero-day vulnerabilities in Cisco edge technology since last spring. The similarities don’t end there. The post Governments issue warning over Cisco zero-day attacks dating back to 2023 appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Cisco SD-WAN Zero-Day Exploitation Chain
## CVE Details
- **CVE ID:** CVE-2026-20127 and CVE-2022-20775
- **CVSS Score:** Not explicitly listed in the article, but characterized as critical/high due to full system compromise potential.
- **CWE:** Authentication Bypass (CVE-2026-20127) and Privilege Escalation (CVE-2022-20775).
## Affected Systems
- **Products:** Cisco SD-WAN (Software-Defined Wide Area Network) systems.
- **Versions:**
- Specific versions impacted by CVE-2026-20127.
- Legacy/older versions vulnerable to CVE-2022-20775.
- **Configurations:** Systems running Cisco SD-WAN edge software. The attack specifically targets "network edge technology."
## Vulnerability Description
This is a multi-stage attack chain used by a sophisticated threat actor (UAT-8616).
1. **Initial Access:** The attacker exploits **CVE-2026-20127** to bypass authentication on the SD-WAN device.
2. **Software Downgrade:** Once access is gained, the attacker deliberately downgrades the device's software to an older, vulnerable version.
3. **Privilege Escalation:** The attacker then exploits **CVE-2022-20775** (a known vulnerability from 2022) on the downgraded version to escalate from administrative control to **root access** on the underlying operating system.
## Exploitation
- **Status:** Exploited in the wild (Actively exploited since at least 2023; identified in late 2025).
- **Complexity:** High (Described as "structured tradecraft" and "surgical" by researchers).
- **Attack Vector:** Network (Remote exploitation of edge devices).
## Impact
- **Confidentiality:** Total (Full access to system data and federal networks).
- **Integrity:** Total (Ability to modify software versions and system configurations).
- **Availability:** Total (Full control over the underlying operating system).
## Remediation
### Patches
- Cisco has released security updates to address the zero-day (CVE-2026-20127). Users should upgrade to the latest stable, patched version of Cisco SD-WAN software immediately.
### Workarounds
- There are no specific software workarounds mentioned; focus is on immediate patching and "hardening guidance" provided by CISA and Five Eyes partners.
## Detection
- **Indicators of Compromise:** CISA and Five Eyes have released a joint "Hunt Guide" specifically for these SD-WAN systems.
- **Detection Methods:**
- Audit system logs for unauthorized authentication events.
- Monitor for unauthorized software "downgrade" events.
- Manual inspection of root-level processes for persistence.
- Federal agencies are required to take inventory and collect logs per CISA Emergency Directive 26-03.
## References
- **Vendor Advisory:** hxxps://blog[.]talosintelligence[.]com/uat-8616-sd-wan/
- **CISA Emergency Directive:** hxxps://www[.]cisa[.]gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- **Five Eyes Hunt Guide:** hxxps://www[.]cyber[.]gov[.]au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide[.]pdf
- **NVD Entries:**
- hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2026-20127
- hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2022-20775