By Erik van Klinken
Publication Date: 2026-02-26 14:20:00
Cisco reports that a critical vulnerability in Catalyst SD-WAN has been exploited since 2023. The vulnerability, tracked as CVE-2026-20127, allows attackers to compromise controllers and add fake peers to networks. CISA is giving US government agencies two days to patch, and other organizations would be wise to adopt that sense of urgency.
The zero-day in Cisco Catalyst SD-WAN is being actively exploited, according to Cisco’s security arm Talos. The research team discovered that attackers are using this vulnerability to compromise controllers and connect malicious peers to target networks. The group UAT-8616, which is not yet known, has been exploiting the flaw since at least 2023.
The problem lies in the peering authentication mechanism. According to the National Vulnerability Database (NVD), peering authentication is not working properly. This allows malicious actors to gain access to affected Cisco Catalyst SD-WAN Controllers via specially crafted…
