InfoSecBulletin Cybersecurity for mankind
Cisco has issued urgent updates to fix a critical zero-day (CVE-2026-20127) vulnerability in its Catalyst SD-WAN products. A sophisticated threat actor named UAT-8616 is exploiting this flaw to gain deep access to enterprise networks.
An unauthenticated remote attacker can exploit this weakness by sending specific requests to a vulnerable system. Cisco Talos has linked these ongoing attacks to UAT-8616, an advanced cyber threat actor that has been active since at least 2023.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
These attackers focus on edge network devices to gain lasting access to critical infrastructure organizations. After UAT-8616 gains initial access through the zero-day flaw, they employ a multi-step method to gain complete control.
Attackers first downgrade the device’s software to an older, vulnerable version. They exploit a secondary vulnerability, CVE-2022-20775, enabling local attackers to gain root-level privileges. They reverted the system to the original software version to cover their tracks and keep their root access hidden.
Affected Products:
This vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, regardless of device configuration.
This vulnerability affects the following deployment types:
On-Prem Deployment
Cisco Hosted SD-WAN Cloud
Cisco Hosted SD-WAN Cloud – Cisco Managed
Cisco Hosted SD-WAN Cloud – FedRAMP Environment
Indicators of Compromise:
Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise.
Customers are encouraged to audit the auth.log file, located at /var/log/auth.log, for entries that are related to Accepted publickey for vmanage-admin from unknown or unauthorized IP addresses, as shown in the following example:
2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY]
Customers must check the IP address in the auth.log log file against the configured System IPs that are listed in the Cisco Catalyst SD-WAN Manager web UI in the WebUI > Devices > System IP column.
Cisco said customers should open a case with the Cisco Technical Assistance Center (TAC). Before opening a new TAC case, customers are encouraged to issue the request admin-tech command from each of the control components in the SD-WAN deployment so that the admin-tech file can be provided to the Cisco TAC for review.
