Cisco SD-WAN Zero-Day Exploited by Threat Actor Since 2023

Cisco SD-WAN Zero-Day Exploited by Threat Actor Since 2023

First seen 25 Feb 2026, 18:12 UTC ComputerweeklyTenableNcsc.UkBlog.TalosintelligenceFeeds2.Feedburner+60 83% similarity 82.1

Article Content

Browse articles
ThreatCluster

A cyber threat actor has been exploiting a zero-day vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controller since 2023. This vulnerability allows unauthenticated remote attackers to bypass authentication and gain administrative privileges, potentially leading to long-term persistence in affected systems. Cisco and the Australian Cyber Security Centre have reported the ongoing exploitation of this vulnerability.

ThreatCluster AI

Timeline

2022-09-30
CVE-2022-20775 published
2023-01-01
Exploitation of CVE-2026-20127 began
2026-02-25
CVE-2026-20127 published
2026-02-25
CVE-2026-20127 added to CISA KEV for active exploitation

Community

Browse all →