Cisco SD-WAN Zero-Day: 'Ghost Peers' Infiltrated Controllers Since 2023

Cisco revealed on February 26, 2026, that a zero-day vulnerability in Catalyst SD-WAN controllers has been actively exploited since at least 2023. An advanced threat actor used the flaw to impersonate trusted peers within the management plane. Identified as CVE-2026-20127 with a maximum CVSS score of 10.0, the authentication bypass allowed an unknown actor to embed themselves within the core of corporate and government distributed networks. The severity of the breach prompted the CISA to issue emergency directive ED 26-03. The campaign was brought to light after the ASD-ACSC discovered the activity and published a threat hunting guide co-authored by CISA, the NSA, and other international partners.

The 'Ghost Peer' Mechanism in the Management Plane

The flaw resides in the peering authentication mechanism of Cisco Catalyst SD-WAN controllers, affecting vSmart and vManage components. According to the vendor's advisory, specially crafted requests allow an unauthenticated remote attacker to circumvent identity verification and secure a high-privileged internal account. While this initial access does not grant root status, it allows the actor to instantiate a new peer within the management or control planes, making it appear as a legitimate and temporary element of the SD-WAN topology.

"The vulnerability allowed a malicious cyber actor to create a rogue peer joined to the network management plane, or control plane, of an organization's SD-WAN" — ASD-ACSC

The presence of this falsified peer within the network management system allows the actor to interact with network configurations as if they were a legitimate node, leveraging the inherent trust between SD-WAN control plane components.

Escalating to Root: Software Downgrades and CVE-2022-20775

Initial access alone was insufficient for total node control. To escalate privileges, the actor performed a software downgrade on the vSmart component to a version susceptible to CVE-2022-20775, a previously known local privilege escalation vulnerability. Utilizing what the Five Eyes threat hunting guide describes as likely public proof-of-concept code, the actor achieved root-level command execution. Once the operation was complete, the original software version was restored to minimize the forensic footprint.

This rollback and subsequent upgrade technique suggests a sophisticated understanding of Cisco architecture and software package management on controllers, making the intrusion difficult to detect through versioning checks alone.

Following escalation, persistence was maintained by inserting authorized SSH keys for the root account, modifying startup scripts, utilizing NETCONF and SSH sessions, and creating local accounts with deceptive names. Post-compromise activities also included the selective deletion of logs, complicating incident reconstruction for victims.

Three Years in the Shadows: Timeline and Anti-Forensics

Cisco Talos confirmed that active exploitation dates back at least to 2023, indicating a stealthy presence of over three years within target infrastructures. During this period, the actor maintained an extremely low profile; investigators found no evidence of lateral movement beyond the compromised SD-WAN components or the deployment of separate C2 malware. This suggests an operation strictly focused on management plane control rather than indiscriminate expansion into peripheral networks.

Cisco Talos classifies UAT-8616 as a highly sophisticated actor. However, neither Talos nor international partners have confirmed national attribution or links to known APT groups; the actor's identity remains unknown. A Talos statement noted that this modus operandi follows a broader trend: "UAT-8616's attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high-value organizations, including Critical Infrastructure (CI) sectors."

No specific details regarding compromised federal agencies have been made public, and sources do not confirm a government-wide breach; the primary risk remains potential traffic manipulation and infrastructure persistence.

CISA Emergency Directive and Controller Patches

The severity of the threat led CISA to include both CVE-2026-20127 and CVE-2022-20775 in the KEV catalog and issue emergency directive ED 26-03. The directive requires federal agencies to inventory exposed devices, enable external logging, apply patches, and collect forensic artifacts under tight deadlines—though reports vary on the exact timeframe for compliance.

Bobby Kuzma, quoted in Infosecurity Magazine, observed that CISA likely believes these vulnerabilities have been, and potentially continue to be, exploited to compromise government systems, even if the total number of public victims remains undisclosed.

Cisco has released security updates for several releases; fixed versions include 20.12.6.1, 20.12.5.3, 20.15.4.2, 20.18.2.1, and 20.9.8.2. Administrators are advised to analyze auth.log files for peering anomalies and ensure no unauthorized SSH keys exist on controllers, as the actor demonstrated the ability to restore environments after system alterations.

Recommended Actions

• Patching and Build Verification: Immediately update controllers to the corrected versions (20.12.6.1, 20.12.5.3, 20.15.4.2, 20.18.2.1, 20.9.8.2 or later) and verify installation hashes against official builds to rule out prior tampering.
• Historical Threat Hunting: Utilize the ASD-ACSC and CISA joint guide to search for UAT-8616 IoCs, including deceptive local accounts and unauthorized changes to root SSH authorization files.
• Centralized Logging: Implement out-of-band log collection immediately to preserve evidence from auth.log and session data, preventing local deletion by high-privileged actors.
• Configuration Inspection: Audit startup scripts, NETCONF parameters, and SSH configurations for suspicious alterations that could indicate persistence surviving a reboot or update.

This incident underscores that the SD-WAN management plane has become a strategic target, offering silent control over entire distributed infrastructures. The ability of UAT-8616 to restore original software versions after achieving maximum privileges makes this vector particularly dangerous for defenses relying solely on software supply chain checks. For organizations, this case serves as a critical test of retrospective threat hunting capabilities rather than just patching speed.

Frequently Asked Questions

Is UAT-8616 attributed to a specific state or known APT group?

No. Cisco Talos has not confirmed any national attribution or links to previously cataloged APT groups; the identity and affiliation of UAT-8616 remain unknown.

What is the concrete risk for enterprises using Cisco SD-WAN?

An actor with root control over the controller can theoretically manipulate network traffic and insert malicious peers. However, available sources do not document data exfiltration, service disruptions, or physical impacts resulting from this campaign.

Has CISA established a uniform deadline for all agencies?

This cannot be stated with certainty. While emergency directive ED 26-03 mandates urgent action, specialized publications report varying timelines; the exact deadline is not uniquely confirmed across all sources.

Sources

• https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html
• https://www.darkreading.com/vulnerabilities-threats/cisco-sd-wan-zero-day-exploitation-3-years
• https://www.infosecurity-magazine.com/news/cisa-cisco-sd-wan-flaws-directive/
• https://www.securityweek.com/cisco-patches-catalyst-sd-wan-zero-day-exploited-by-highly-sophisticated-hackers/

Information has been verified against cited sources and is current as of publication.