Cisco SD-WAN Zero-Day Exploited by Highly Sophisticated Threat Actor

First reported

02.03.2026 15:26

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A critical zero-day vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controller and Manager is being actively exploited by a sophisticated threat actor, tracked as UAT-8616. The flaw allows unauthenticated remote attackers to bypass authentication and gain administrative privileges. The exploitation dates back to 2023, and Cisco has credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The vulnerability has a CVSS score of 10.0, indicating maximum severity. Cisco is actively tracking the exploitation and post-compromise activities associated with this flaw. The threat actor is described as highly sophisticated, and the exploitation has been ongoing for some time.

Timeline

02.03.2026 15:26 1 articles · 3h ago

Cisco SD-WAN Zero-Day Exploited by Highly Sophisticated Threat Actor
A critical zero-day vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controller and Manager is being actively exploited by a sophisticated threat actor, tracked as UAT-8616. The flaw allows unauthenticated remote attackers to bypass authentication and gain administrative privileges. The exploitation dates back to 2023, and Cisco has credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The threat actor is described as highly sophisticated, and the exploitation has been ongoing for some time.
Show sources

⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More — thehackernews.com — 02.03.2026 15:26
Open in new tab

Information Snippets

The vulnerability, tracked as CVE-2026-20127, has a CVSS score of 10.0, indicating maximum severity.
First reported: 02.03.2026 15:26

1 source, 1 article
Show sources
- ⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More — thehackernews.com — 02.03.2026 15:26
The flaw allows unauthenticated remote attackers to bypass authentication and gain administrative privileges.
First reported: 02.03.2026 15:26

1 source, 1 article
Show sources
- ⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More — thehackernews.com — 02.03.2026 15:26
The exploitation dates back to 2023, and the threat actor is tracked as UAT-8616.
First reported: 02.03.2026 15:26

1 source, 1 article
Show sources
- ⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More — thehackernews.com — 02.03.2026 15:26
Cisco has credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability.
First reported: 02.03.2026 15:26

1 source, 1 article
Show sources
- ⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More — thehackernews.com — 02.03.2026 15:26
The threat actor is described as highly sophisticated, and the exploitation has been ongoing for some time.
First reported: 02.03.2026 15:26

1 source, 1 article
Show sources
- ⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More — thehackernews.com — 02.03.2026 15:26