The Five Eyes intelligence alliance has issued an urgent warning for organizations using Cisco Catalyst SD-WAN devices to patch two vulnerabilities that have been exploited in attacks. This alert, co-signed by all five agencies, highlights the seriousness of the situation.
Details of the Vulnerabilities
The vulnerabilities were first identified by the Australian Signals Directorate (ASD). The UK’s National Cyber Security Centre (NCSC) stated that malicious actors are targeting Cisco Catalyst SD-WAN devices globally. These attackers aim to compromise the SD-WANs by adding a rogue peer, which allows them to achieve root access and maintain persistent control over the devices.
The first vulnerability, identified as CVE-2022-20775, is a path traversal flaw with a CVSS score of 7.8. This vulnerability, disclosed in September 2022, affects the command line interface of the SD-WAN, enabling privilege escalation.
The second vulnerability, CVE-2026-20127, has a maximum severity rating of 10.0 and was disclosed recently. It is classified as an improper authentication flaw that impacts both the Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. Exploiting this vulnerability allows attackers to gain administrative rights and potentially reconfigure the SD-WAN fabric.
Exploitation and Impact
Cisco’s Talos security team has attributed the exploitation of CVE-2026-20127 to a group they track as UAT-8616, indicating that these attacks may have been occurring since at least 2023. While specific details about the attackers remain undisclosed, Talos described them as a highly sophisticated cyber threat actor.
Although the exact number of attacks is not specified, Talos noted that the targets are likely to be in sensitive sectors, suggesting a focus on high-value organizations, including those in critical infrastructure.
Recommended Actions for Organizations
The Five Eyes agencies strongly recommend that organizations using Cisco Catalyst SD-WAN products investigate their exposure to these vulnerabilities. They advise following the Five Eyes Hunt Guide to detect signs of compromise. If any signs are found, organizations should report the data to relevant security authorities and upgrade to the latest version of the Cisco Catalyst SD-WAN Controller/Manager.
NCSC CTO Ollie Whitehouse emphasized the urgency of this alert, urging organizations to apply vendor updates and hardening guidance as soon as possible to mitigate the risk of exploitation.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
