• Active exploitation of Cisco Catalyst SD-WAN by UAT-8616 Cisco Talos is tracking the active exploitation ofCVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected system by sending a crafted request to an affected system • Successful exploitation may allow the attacker to gain administrative privileges on the Controller as an internal, high privileged, non-root, user account • Talos clusters this exploitation and subsequent post-compromise activity as “UAT-8616” whom we assess with high confidence is a highly sophisticated cyber threat actor • After the discovery of active exploitation of the 0-day in the wild, we were able to find evidence that the malicious activity went back at least three years (2023) • Investigation conducted byintelligence partnersidentified that the actor likely escalated to root user via a software version downgrade • The actor then reportedly exploitedCVE-2022-20775before restoring back to the original software version, effectively allowing them to gain root access

Article Summaries:

  • Cisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected system by sending a crafted request to an affected system. Successful exploitation may allow the attacker to gain administrative privileges on the Controller as an internal, high privileged, non-root, user account. Talos clusters this exploitation and subsequent post-compromise activity as “UAT-8616” whom we assess with high confidence

Sources: