By Sead Fadilpašić
Publication Date: 2026-02-26 13:05:00
- Cisco Catalyst SD-WAN zero-day (CVE-2026-20127) being exploited since 2023
- Flaw allowed attackers to add rogue peers and manipulate network configs
- CISA added bug to KEV catalog, ordering urgent patching; linked to threat group UAT-8616
“Highly sophisticated” threat actors have reportedly been exploiting a zero-day vulnerability in Cisco Catalyst SD-WAN for over two years, the company has revealed.
Cisco’s cybersecurity arm, Talos, released a new report saying it observed a critical authentication vulnerability being actively exploited by crooks that used it to compromise controllers and add malicious rogue peers to target networks.
The vulnerability is now tracked as CVE-2026-20127 and carries a maximum severity score – 10/10 (critical).
CISA adds it to KEV
The National Vulnerability Database (NVD) says the bug exists “because the peering authentication mechanism in an affected system is not working properly”, allowing…