InfoSecBulletin Cybersecurity for mankind
A public POC exploit for CVE-2026-20127, a critical zero-day vulnerability in Cisco Catalyst SD-WAN Controller and Manager, has been released. This vulnerability has been actively exploited since 2023.
Cisco Talos is tracking the threat activity under the cluster UAT-8616, describing it as a “highly sophisticated cyber threat actor” targeting critical infrastructure globally.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
A PoC by zerozenxlabs on GitHub features a Python exploit script and a JSP webshell (cmd.jsp). An unauthenticated remote attacker can send a specific HTTP request to the SD-WAN Controller’s REST API, skipping the login and gaining an admin session without valid credentials.
Once inside, UAT-8616 followed a multi-stage attack chain:
Initial access: Used a known vulnerability to gain high-level admin access and added a fake device to the SD-WAN management system.
Privilege escalation: Rolled back software to an older version with a known flaw
Version restoration: Returned the system to the original software version to remove traces of the downgrade.
Persistence: Added unauthorized SSH keys to /home/root/.ssh/authorized_keys, set PermitRootLogin yes in sshd_config, and modified SD-WAN startup scripts.
Lateral movement: Used network protocols to move between SD-WAN appliances and manipulate the entire fabric configuration
Cover-up: Cleared syslog, bash_history, wtmp, lastlog, and logs under /var/log/.
Cisco Talos urges administrators to immediately audit control connection peering events in SD-WAN logs for unauthorized vManage peer connections, unexpected source IPs, and anomalous timestamps.
CISA has included CVE-2026-20127 in its KEV catalog and requires federal agencies to patch it urgently.
Organizations using Cisco Catalyst SD-WAN must patch immediately, review the security advisory, and follow the Australian Cyber Security Centre’s SD-WAN Threat Hunting Guide to check for any compromises.
