Cisco Talos has disclosed the active exploitation of CVE-2026-20127, a critical zero-day vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart), by a highly sophisticated threat actor tracked as UAT-8616. The campaign, which dates back at least three years, targets critical infrastructure sectors through persistent network edge device compromise.
The Vulnerability: CVE-2026-20127
The vulnerability allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on affected Cisco Catalyst SD-WAN systems by sending crafted requests. Successful exploitation grants attackers access as an internal, high-privileged (non-root) user account.
UAT-8616: A Sophisticated Adversary
Talos assesses with high confidence that UAT-8616 is a highly sophisticated cyber threat actor. Investigation with intelligence partners including the Australian Cyber Security Centre revealed that the malicious activity has been ongoing since at least 2023.
The actor’s methodology demonstrates advanced tradecraft:
- Software version downgrade attacks — compromising controllers to roll back firmware
- Chained exploitation — leveraging the 2023 CVE-2022-20775 privilege escalation flaw after downgrade
- Version restoration — returning systems to original software versions to hide tracks
- Root-level access — ultimately achieving persistent root access on compromised devices
Indicators of Compromise
Key signs of UAT-8616 compromise include:
- Suspicious control connection peering events, especially vManage peer types from unexpected IPs
- Creation and deletion of malicious user accounts with absent bash_history and cli-history
- Interactive root sessions with unauthorized SSH keys
- PermitRootLogin set to yes in sshd_config
- Abnormally small or missing logs (0/1/2 byte files)
- Evidence of log clearing: syslog, wtmp, lastlog, cli-history, bash_history
- Unexpected version downgrades/upgrades accompanied by system reboots
- Path traversal strings in usernames
Multi-Agency Response
The discovery prompted coordinated response from multiple cyber agencies including CISA, NCSC UK, and the Australian Cyber Security Centre, which published a comprehensive threat hunting guide.
Recommendations
Organizations running Cisco Catalyst SD-WAN should immediately:
- Follow Cisco’s security advisory and apply available patches
- Implement the Cisco Catalyst SD-WAN Hardening Guide
- Review all control connection peering events in logs
- Audit SSH keys and root access configurations
- Check for evidence of software version manipulation
- Deploy Snort rules 65938 and 65958 for detection
Why This Matters
This campaign represents the continuing trend of sophisticated threat actors targeting network edge devices to establish persistent footholds in high-value organizations. SD-WAN controllers are particularly attractive targets due to their central role in managing enterprise network connectivity — compromise provides attackers with visibility and control over an organization’s entire WAN infrastructure.
The three-year dwell time before discovery underscores the advanced evasion techniques employed by UAT-8616 and the critical importance of proactive threat hunting on network infrastructure devices.
