By Abinaya
Publication Date: 2026-03-06 02:26:00
A public proof-of-concept (PoC) exploit has been released for CVE-2026-20127, a maximum-severity zero-day vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager that has been actively exploited in the wild since at least 2023.
Cisco Talos is tracking the threat activity under the cluster UAT-8616, describing it as a “highly sophisticated cyber threat actor” targeting critical infrastructure globally.
A PoC published on GitHub by zerozenxlabs includes a working Python exploit script and a JSP webshell (cmd.jsp).
It also contains a deployable WAR file, lowering the barrier for more threat actors to weaponize this critical flaw.
How the Attack Works
The vulnerability exists because the peering authentication mechanism in affected Cisco SD-WAN systems is broken.
An unauthenticated remote attacker sends a specially crafted HTTP request to the SD-WAN Controller’s REST…
