"Cisco confirmed that attackers exploited the bug, tracked as CVE-2026-20127, to bypass authentication, gain privileged access, and quietly steal data. The discovery prompted a rare joint warning from authorities in the US, UK, Australia, Canada, and New Zealand."
"The vulnerability tagged CVE-2026-20127 has a critical base score of 10.0 and an impact score of 6.0, demanding prompt action. Successfully exploiting the vulnerability allows attackers to steal data and, with ease, launch other cyberattacks."
"After gaining root access, the attacker created local accounts that mimicked legitimate accounts and re-exploited CVE-2026-20127, thereby gaining persistent access. After gaining persistent access, the attacker restored the controller to its previous version."
Cisco discovered that attackers exploited CVE-2026-20127, a critical vulnerability in Catalyst SD-WAN products, to bypass authentication and gain privileged access for data theft. The flaw went unnoticed for three years before exploitation. Attackers chained this vulnerability with CVE-2022-20775 to escalate to root access, create persistent backdoor accounts mimicking legitimate users, and cover their tracks. The attack involved downgrading the controller to exploit the older vulnerability, then restoring it to avoid detection. A single unidentified actor labeled UAT-8616 is suspected. The discovery prompted joint warnings from US, UK, Australian, Canadian, and New Zealand authorities due to the severity and sophistication of the attack chain.
#cisco-catalyst-sd-wan-vulnerability #cve-2026-20127 #authentication-bypass #privilege-escalation #persistent-access
Read at TechRepublic
Unable to calculate read time
Collection
[
|
...
]