{"id":11151,"date":"2026-03-06T10:04:03","date_gmt":"2026-03-06T10:04:03","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/06\/poc-exploit-released-cisco-sd-wan-0-day-vulnerability-exploited-in-the-wild\/"},"modified":"2026-03-06T10:04:03","modified_gmt":"2026-03-06T10:04:03","slug":"poc-exploit-released-cisco-sd-wan-0-day-vulnerability-exploited-in-the-wild","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/06\/poc-exploit-released-cisco-sd-wan-0-day-vulnerability-exploited-in-the-wild\/","title":{"rendered":"PoC Exploit Released Cisco SD-WAN 0-Day Vulnerability Exploited in the Wild"},"content":{"rendered":"

PoC Exploit Released Cisco SD-WAN 0-Day Vulnerability Exploited in the Wild
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A public proof-of-concept (PoC) exploit has been released for\u00a0CVE-2026-20127<\/a>, a maximum-severity zero-day vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager that has been actively exploited in the wild since at least 2023.<\/p>\n

Cisco Talos is tracking the threat activity under the cluster\u00a0UAT-8616, describing it as a \u201chighly sophisticated cyber threat actor\u201d targeting critical infrastructure globally.<\/p>\n

A PoC published on GitHub by zerozenxlabs <\/a>includes a working Python exploit script and a JSP webshell (cmd.jsp<\/code>).<\/p>\n

It also contains a deployable WAR file, lowering the barrier for more threat actors to weaponize this critical flaw.<\/p>\n

How the Attack Works<\/strong><\/h2>\n

The vulnerability exists because the\u00a0peering authentication mechanism<\/a>\u00a0in affected Cisco SD-WAN systems is broken.<\/p>\n

An unauthenticated remote attacker sends a specially crafted HTTP request to the SD-WAN Controller\u2019s REST API<\/a>, completely bypassing the login process and gaining an administrative session without any valid credentials.<\/p>\n

Once inside, UAT-8616 followed a multi-stage attack chain:<\/p>\n

    \n
  1. \nInitial access<\/strong>: Exploited CVE-2026-20127 to gain high-privileged, non-root admin access and added a rogue peer device to the SD-WAN management\/control plane\u200b.<\/li>\n
  2. \nPrivilege escalation<\/strong>: Staged a deliberate\u00a0software version downgrade\u00a0to reintroduce the older CVE-2022-20775 flaw, escalating to full root access\u200b.<\/a>\n<\/li>\n
  3. \nVersion restoration<\/strong>: Restored the system to its original software version to erase forensic evidence <\/a>of the downgrade\u200b.<\/li>\n
  4. \nPersistence<\/strong>: Added unauthorized SSH keys to\u00a0\/home\/root\/.ssh\/authorized_keys, set\u00a0PermitRootLogin yes\u00a0in sshd_config, and modified SD-WAN startup scripts\u200b.<\/li>\n
  5. \nLateral movement<\/strong>: Used NETCONF (port 830) and SSH to pivot between SD-WAN appliances<\/a> and manipulate the entire fabric configuration\u200b.<\/li>\n
  6. \nCover-up<\/strong>: Cleared syslog, bash_history, wtmp, lastlog, and logs under\u00a0\/var\/log\/\u200b.<\/li>\n<\/ol>\n

    Cisco Talos urges administrators<\/a> to immediately audit\u00a0control connection peering events\u00a0in SD-WAN logs for unauthorized vManage peer connections, unexpected source IPs, and anomalous timestamps.<\/p>\n

    Any log entries showing rogue peer additions, SSH key modifications<\/a>, or version downgrade\/upgrade cycles should be treated as high-fidelity indicators of compromise.<\/p>\n

    CISA has added CVE-2026-20127 to its\u00a0Known Exploited Vulnerabilities (KEV)\u00a0catalog and mandated urgent patching for federal agencies<\/a>.<\/p>\n

    Organizations using Cisco Catalyst SD-WAN should apply patches immediately, review the security advisory, and follow the Australian Cyber Security Centre SD-WAN Threat Hunting Guide to check for compromise.<\/p>\n

    Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

    The post PoC Exploit Released Cisco SD-WAN 0-Day Vulnerability Exploited in the Wild<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

    \t

    \n
    <\/BR>
    \n Abinaya
    \n \t

    \n
    <\/BR>
    \n    Go to cyber-security-news<\/a>
    \n \t

    \n
    <\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

    PoC Exploit Released Cisco SD-WAN 0-Day Vulnerability Exploited in the Wild A public proof-of-concept (PoC) exploit has been released for\u00a0CVE-2026-20127, a maximum-severity zero-day vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager that has been actively exploited in the wild since at least 2023. Cisco Talos is tracking the threat activity under the cluster\u00a0UAT-8616, describing […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-11151","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11151"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11151"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11151\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}