Back

Cisco SD-WAN Zero-Day Exploited by Threat Actor Since 2023

Severity: Critical (Score: 82.1)

Sources: Sec.Cloudapps.Cisco, Bleepingcomputer, Cyber.Au, Scworld, Rescana

Summary

A cyber threat actor has been exploiting a zero-day vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controller since 2023. This vulnerability allows unauthenticated remote attackers to bypass authentication and gain administrative privileges, potentially leading to long-term persistence in affected systems. Cisco and the Australian Cyber Security Centre have reported the ongoing exploitation of this vulnerability.

Key Entities

  • Salt Typhoon (apt_group)
  • Uat-8616 (apt_group)
  • Volt Typhoon (apt_group)
  • Data Breach (attack_type)
  • DDoS (attack_type)
  • Zero-day Exploit (attack_type)
  • The Three-Year Shadow (campaign)
  • Cisco (company)
  • Cybersecurity and Infrastructure Security Agency (company)
  • Australia (country)
  • Canada (country)
  • England (country)
  • New Zealand (country)
  • United Kingdom (country)
  • CVE-2022-20775 (cve)
  • CVE-2025-20127 (cve)
  • CVE-2026-20122 (cve)
  • CVE-2026-20127 (cve)
  • cyber.gc.ca (domain)
  • Energy (industry)
  • Government (industry)
  • Telecommunications (industry)
  • Transportation (industry)
  • 20.12.5.3 (ipv4)
  • 20.12.6.1 (ipv4)
  • 20.15.4.2 (ipv4)
  • 20.18.2.1 (ipv4)
  • T1021 - Remote Services (mitre_attack)
  • T1068 - Exploitation for Privilege Escalation (mitre_attack)
  • T1078 - Valid Accounts (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • Async Software (platform)
  • Catalyst Sd-wan (platform)
  • Catalyst Sd-wan Controller (platform)
  • Catalyst Sd-wan Controllers (platform)
  • Catalyst Sd-wan Manager (platform)
  • Authentication Bypass Vulnerability (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed