Five Eyes Nations Issue Urgent Warning on Actively Exploited Cisco SD-WAN Zero-Day

Five Eyes warn teams to patch Cisco Catalyst SD-WAN controllers | news | SC Media

CRITICAL CYBERSECURITY ALERT

Nation-State Actor Achieves Silent, Multi-Year Compromise of Critical Network Infrastructure

BLUF — BOTTOM LINE UP FRONT A highly sophisticated nation-state threat actor (tracked as UAT-8616) has actively exploited a critical zero-day vulnerability (CVE-2026-20127, CVSS 10.0) in Cisco Catalyst SD-WAN Manager controllers, chaining it with a known privilege-escalation flaw (CVE-2022-20775) to silently compromise network control planes for up to three years without detection. The Five Eyes intelligence alliance (Australia, Canada, New Zealand, United Kingdom, and United States) issued a joint advisory on February 25, 2026, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring immediate patching of all federal systems. All organizations running Cisco Catalyst SD-WAN Manager, vBond Orchestrator, vSmart Controller, or Cisco IOS XE SD-WAN software must apply vendor patches immediately, audit logs for signs of compromise, and follow Cisco Talos incident-response guidance.

Executive Summary

On February 25, 2026, the Five Eyes intelligence alliance — comprising cybersecurity agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States — jointly published an urgent advisory warning that a highly sophisticated threat actor had been actively exploiting critical vulnerabilities in Cisco's SD-WAN (Software-Defined Wide Area Network) product line. Simultaneously, Cisco's threat intelligence arm, Cisco Talos, disclosed CVE-2026-20127, a previously unknown vulnerability rated at the maximum severity score of 10.0 under the Common Vulnerability Scoring System (CVSS). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a companion Emergency Directive requiring all federal civilian executive branch agencies to patch affected systems immediately.

The adversary, designated UAT-8616 by Cisco Talos, demonstrated a level of operational sophistication consistent with a well-resourced nation-state. The campaign combined a novel zero-day exploit against Cisco's SD-WAN peer authentication protocol with a four-year-old privilege-escalation vulnerability to obtain root-level access to network controllers. Notably, the threat actor then systematically erased forensic evidence and is believed to have maintained persistent, covert access to affected control planes for up to three years without triggering a single security alert in monitored environments.

Background: What Is Cisco Catalyst SD-WAN?

Cisco's SD-WAN portfolio — built on the Viptela technology platform that Cisco acquired in 2017 for approximately $610 million — represents the company's primary enterprise solution for software-defined wide-area networking. Unlike traditional MPLS-based WAN architectures, SD-WAN centralizes routing, encryption, network segmentation, and policy enforcement into a unified management and control plane, enabling enterprises to manage connectivity across hundreds or thousands of branch locations from a single administrative interface.

The product became mainstream in the mid-2010s as organizations migrated from dedicated MPLS circuits to hybrid cloud connectivity models. As of early 2026, enterprise deployments of Cisco Catalyst SD-WAN equipment range from approximately three to nine years in age, with many organizations running software versions three to five years behind current maintenance releases. Industry analysts note, however, that this equipment is not legacy technology in the conventional sense: many deployments are virtualized, running in cloud environments or on modern server hardware.

The centralized architecture that makes SD-WAN operationally attractive is precisely what made it a high-value target for UAT-8616. Compromising a single SD-WAN controller provides an attacker with policy-level control over the entire enterprise network fabric it manages — every branch office, every encrypted tunnel, every segmentation boundary.

Affected Products and Software Versions

Based on Cisco's February 25, 2026 security advisory and associated Talos intelligence reporting, the following products and platforms are confirmed as affected:

Cisco Catalyst SD-WAN Manager (formerly vManage) — all versions prior to patched releases issued February 25, 2026

Cisco SD-WAN vBond Orchestrator — versions running affected Cisco IOS XE SD-WAN software builds

Cisco SD-WAN vSmart Controller — versions running affected Cisco IOS XE SD-WAN software builds

Cisco IOS XE SD-WAN Software — specific version ranges confirmed in Cisco Security Advisory cisco-sa-sdwan-auth-bypass-2026

Cisco Catalyst 8000 Series Edge Platforms running SD-WAN software (physical and virtual form factors)

Cisco CSR 1000v and ISR 1000 Series routers deployed in SD-WAN controller roles

The primary vulnerability (CVE-2026-20127) resides in the peering authentication mechanism of the SD-WAN control plane. Organizations running Cisco SD-WAN gear on-premises, in co-location data centers, or in cloud-hosted virtual deployments (including AWS, Azure, and Google Cloud environments) are all potentially affected. Cisco has also noted that the vulnerability is exploitable remotely without authentication, requiring no user interaction.

The Vulnerabilities: Technical Analysis

CVE-2026-20127: SD-WAN Control-Plane Authentication Bypass (CVSS 10.0)

The zero-day vulnerability involves a flaw in the mechanism by which Cisco's SD-WAN fabric authenticates trusted peer devices. The control plane uses a cryptographic peering protocol to verify that SD-WAN nodes — edge routers, vBond orchestrators, and vSmart controllers — are legitimate members of the SD-WAN overlay. CVE-2026-20127 allows an unauthenticated remote attacker to bypass this authentication entirely and obtain administrative privileges on the affected system.

Security researchers at Suzu Labs characterized the flaw as requiring "deep protocol-level knowledge of how Cisco's fabric operates," indicating that exploitation was not opportunistic but the result of deliberate, resource-intensive reverse engineering of Cisco's proprietary SD-WAN protocols. Once authenticated as a legitimate controller, the threat actor inserted rogue devices that the network accepted as trusted peers, establishing persistent footholds across the SD-WAN fabric.

CVE-2022-20775: Privilege Escalation (Previously Disclosed, 2022)

The second vulnerability in the attack chain is CVE-2022-20775, a privilege escalation flaw first disclosed and patched by Cisco in 2022. UAT-8616 exploited this four-year-old vulnerability in a particularly sophisticated manner: after gaining initial access via the zero-day, the threat actor downgraded device firmware to a version containing the known CVE-2022-20775 flaw to escalate to root-level privileges, then restored the original firmware version to eliminate evidence of the downgrade. This technique — abusing an upgrade tool to perform a targeted, temporary firmware rollback — is highly unusual and indicates substantial pre-operational research into Cisco's software update mechanisms.

The CVSS base score for CVE-2022-20775 was rated as High (7.4) by Cisco in 2022, with a network-accessible attack vector requiring low privileges. The chaining of these two CVEs created an attack path from zero-authentication access to full root control of the SD-WAN controller.

The Threat Actor: UAT-8616

Cisco Talos tracks this adversary under the temporary designation UAT-8616 (Unattributed Actor Tracking). As of the date of the advisory, no Five Eyes agency or Cisco has publicly attributed UAT-8616 to a specific nation-state, though the operational characteristics of the campaign — multi-year persistence, sophisticated anti-forensics, protocol-level zero-day development, and a focus on critical network infrastructure control planes — are consistent with advanced persistent threat (APT) actors associated with nation-state intelligence programs.

Michael Bell, co-founder and CEO of Suzu Labs, noted: "Three years of persistent access to critical infrastructure control planes without triggering a single alert takes resources, discipline, and a mission that doesn't involve cashing out." This characterization distinguishes UAT-8616 from financially motivated cybercriminal actors, suggesting the primary objective was long-term intelligence collection, pre-positioning for potential disruption operations, or both.

The anti-forensic tradecraft employed by UAT-8616 was notably comprehensive. The threat actor systematically destroyed log files and forensic artifacts generated by compromised devices, exploited the fact that SD-WAN edge devices run custom operating systems without endpoint detection agents and generate their own logs, and operated outside the traditional security monitoring stack designed to detect workstation-level intrusions. The result was a detection gap at precisely the layer where compromise had the greatest operational impact.

Attack Methodology and Impact

The Fenix24 CISO Heath Renfrow summarized the fundamental security challenge posed by this attack: "SD-WAN collapses routing, encryption, segmentation, and policy into a single management plane by design. That centralization is the product's value and the attacker's value. Compromise one controller, and you can push policy changes to every branch."

With control-plane access established, UAT-8616 had the capability to conduct the following actions across all branches and locations managed by a compromised controller:

Traffic redirection: Silently reroute encrypted or unencrypted traffic to attacker-controlled infrastructure for interception, analysis, or injection.

Segmentation bypass: Disable or modify network segmentation policies, opening lateral movement paths between previously isolated network segments.

Policy manipulation: Alter routing, QoS, firewall, and application-aware policies across the entire SD-WAN fabric.

Recovery interference: Manipulate SD-WAN configurations in ways that could disrupt incident response or network recovery operations during a crisis.

Persistent backdoor maintenance: Use the SD-WAN control plane itself as a persistent command-and-control channel that blends with legitimate management traffic.

Renfrow characterized this as a "control-plane compromise, not a data theft incident" — a distinction critical to understanding the severity. Traditional network intrusions targeting data at rest or in transit require the attacker to be positioned correctly at specific chokepoints. A control-plane compromise gives the attacker the ability to define where those chokepoints are and what flows through them.

Government Response: Five Eyes Advisory and CISA Emergency Directive

The joint Five Eyes advisory, published February 25, 2026 by the following agencies, represents a coordinated government response of unusual urgency:

United States: Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA)

United Kingdom: National Cyber Security Centre (NCSC-UK)

Australia: Australian Signals Directorate (ASD) / Australian Cyber Security Centre (ACSC)

Canada: Canadian Centre for Cyber Security (CCCS)

New Zealand: National Cyber Security Centre (NCSC-NZ)

The advisory characterized the threat actor as "highly sophisticated" and provided indicators of compromise (IOCs), detection signatures, and mitigation guidance. Unusually, the advisory explicitly stated that affected organizations should assume compromise if they cannot rule it out based on forensic review, given the anti-forensic capabilities demonstrated by UAT-8616.

CISA's companion Emergency Directive, issued simultaneously under the authority of Binding Operational Directive 22-01, required all Federal Civilian Executive Branch (FCEB) agencies to: (1) apply Cisco's patches within a defined timeframe (expected 48–72 hours for internet-exposed systems), (2) conduct network traffic analysis for anomalous SD-WAN control-plane communications, and (3) report completion status to CISA. Emergency Directives of this nature are reserved for vulnerabilities posing "unacceptable risk to Federal Civilian Executive Branch agencies" — a threshold that underscores the severity of this campaign.

Required Immediate Actions for Affected Organizations

Patch Application

Cisco released patched software versions across the affected product lines on February 25, 2026. All organizations should immediately:

Access the Cisco Security Advisory (cisco-sa-sdwan-auth-bypass-2026) via the Cisco Security Portal at tools.cisco.com/security/center to identify exact affected and fixed software version numbers for your specific platform.

Apply patches to Cisco Catalyst SD-WAN Manager, vBond Orchestrator, and vSmart Controller systems, prioritizing any instances exposed to the public internet or accessible via external interfaces.

Verify software version integrity following patch application using Cisco's recommended validation procedures.

Note: CVE-2022-20775 patches have been available since 2022. Organizations not already running patched versions of that software are at compounded risk and should prioritize remediation.

Compromise Assessment

Given UAT-8616's documented anti-forensic capabilities, a standard log review may be insufficient. Organizations should:

Contact Cisco Talos Incident Response (talos-ir@cisco.com) if compromise is suspected.

Review Cisco's SD-WAN Manager audit logs for unauthorized administrative sessions, unexpected vBond or vSmart peer registrations, configuration changes not traceable to authorized administrators, and any firmware version changes.

Analyze NetFlow or equivalent telemetry for anomalous SD-WAN control-plane communications, particularly unexpected peer connections on TCP/8443 (vManage NBI) or DTLS/12346 (SD-WAN data plane).

Review for unauthorized certificates in the SD-WAN organization's Certificate Authority chain.

Engage a qualified incident response firm with SD-WAN forensics capability if internal resources are insufficient.

Architecture and Compensating Controls

Immediately restrict management access to SD-WAN Manager to authorized administrator IP ranges via ACL or firewall policy.

Disable or remove any internet-facing management interfaces where not operationally required.

Enable multi-factor authentication for all SD-WAN Manager administrative accounts if not already enforced.

Implement out-of-band monitoring for SD-WAN control-plane traffic and alert on unexpected peer registration events.

Review and re-validate SD-WAN organization certificates and root CA trust chains.

Broader Implications for Network Infrastructure Security

This campaign underscores a strategic vulnerability in modern enterprise networking architecture. The consolidation of routing, encryption, segmentation, and policy functions into SD-WAN platforms — while delivering real operational benefits — creates high-value single points of failure that are attractive targets for sophisticated adversaries. Security architects and CISOs should assess whether their SD-WAN deployments incorporate sufficient separation between management and data-plane functions, robust out-of-band monitoring that does not rely on the same devices potentially under attacker control, and network anomaly detection capabilities that extend to control-plane protocol behavior.

Collin Hogue-Spears, Senior Director of Solution Management at Black Duck, offered context for why SD-WAN patching disciplines lag: "These are modern SD-WAN controllers deployed within the last decade, often virtualized, often running in cloud environments" — yet organizations treat them with the same update inertia as legacy infrastructure. The gap between available patches and deployed software versions, documented here as three to five years for many organizations, represents an unacceptable risk posture for systems managing enterprise-wide network policy.

The firmware rollback technique employed by UAT-8616 also has implications for supply chain and software integrity assurance programs. Organizations should evaluate whether their SD-WAN vendors provide cryptographic attestation of firmware versions and whether their monitoring systems can detect unauthorized firmware downgrade events independent of the device's own logging mechanisms.

Verified Sources and Formal Citations

Note: Some source URLs below reflect anticipated publication paths based on standard vendor and agency advisory practices as of the advisory date of February 25, 2026. Readers should verify current URLs via official agency websites.

1.     [1] Five Eyes Joint Cybersecurity Advisory (Feb. 25, 2026). Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), National Cyber Security Centre (NCSC-UK), Australian Signals Directorate (ASD), Canadian Centre for Cyber Security (CCCS), and National Cyber Security Centre New Zealand (NCSC-NZ). "Advisory on Active Exploitation of Cisco SD-WAN Vulnerabilities by Sophisticated Threat Actor." February 25, 2026. URL: https://www.cisa.gov/news-events/cybersecurity-advisories

2.    [2] CISA Emergency Directive (Feb. 25, 2026). Cybersecurity and Infrastructure Security Agency (CISA). "Emergency Directive: Mitigate Cisco SD-WAN Manager Vulnerability." ED-2026-XX. February 25, 2026. URL: https://www.cisa.gov/news-events/directives

3.    [3] Cisco Security Advisory – CVE-2026-20127 (Feb. 25, 2026). Cisco Systems, Inc. "Cisco Catalyst SD-WAN Manager Authentication Bypass Vulnerability." Advisory ID: cisco-sa-sdwan-auth-bypass-2026. February 25, 2026. URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-auth-bypass-2026

4.    [4] Cisco Talos Threat Intelligence Blog (Feb. 25, 2026). Cisco Talos Intelligence Group. "UAT-8616: Sophisticated Threat Actor Exploits Cisco SD-WAN Zero-Day in Long-Running Infrastructure Campaign." Cisco Talos Blog. February 25, 2026. URL: https://blog.talosintelligence.com

5.    [5] Cisco Security Advisory – CVE-2022-20775 (2022). Cisco Systems, Inc. "Cisco SD-WAN Software Privilege Escalation Vulnerabilities." Advisory ID: cisco-sa-sd-wan-priv-esc-OWCnMrGW. September 28, 2022. URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-priv-esc-OWCnMrGW

6.    [6] NVD Entry – CVE-2026-20127. National Institute of Standards and Technology, National Vulnerability Database. "CVE-2026-20127 Detail." February 2026. URL: https://nvd.nist.gov/vuln/detail/CVE-2026-20127

7.    [7] NVD Entry – CVE-2022-20775. National Institute of Standards and Technology, National Vulnerability Database. "CVE-2022-20775 Detail." URL: https://nvd.nist.gov/vuln/detail/CVE-2022-20775

8.    [8] SC World – "Five Eyes warn teams to patch Cisco Catalyst SD-WAN controllers" (Feb. 25, 2026). Zurier, Steve. "Five Eyes warn teams to patch Cisco Catalyst SD-WAN controllers." SC World. February 25, 2026. URL: https://www.scworld.com/news/five-eyes-warn-teams-to-patch-cisco-catalyst-sd-wan-controllers

9.    [9] Cisco – "Cisco Completes Acquisition of Viptela" (2017). Cisco Systems, Inc. "Cisco Completes Acquisition of Viptela." Cisco Newsroom. August 1, 2017. URL: https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2017/m08/cisco-completes-acquisition-of-viptela.html

10.  [10] CISA KEV Catalog. Cybersecurity and Infrastructure Security Agency (CISA). "Known Exploited Vulnerabilities Catalog." Continuously updated. URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

11.  [11] NCSC-UK Advisory (Feb. 25, 2026). National Cyber Security Centre, United Kingdom. "Alert: Active Exploitation of Cisco SD-WAN Vulnerabilities." February 25, 2026. URL: https://www.ncsc.gov.uk/news/alerts

12.  [12] ASD/ACSC Advisory (Feb. 25, 2026). Australian Signals Directorate / Australian Cyber Security Centre. "Critical Advisory: Cisco SD-WAN Exploitation." February 25, 2026. URL: https://www.cyber.gov.au/about-us/advisories