Cisco: Attackers have been entering networks via security gap for three years
Attackers are exploiting a critical vulnerability in Cisco Catalyst SD-WAN Controller. Cisco is also patching other products like Nexus 9000.
(Image: solarseven/Shutterstock.com)
Network admins managing enterprise IT infrastructures with Cisco Catalyst SD-WAN Controller should update the application immediately due to ongoing attacks. By exploiting a security vulnerability, attackers gain access to networks and establish a foothold. Not all security patches are available at this time.
Update now!
Cisco Talos security researchers state in a post that the attacks have been ongoing for at least three years. Who is behind the attacks remains unknown so far. The researchers summarize the threat under the designation “UAT-8616.” They assume that highly sophisticated cyberthreat actors are behind it. The US security authority CISA has issued an emergency directive. It classifies the attacks as a state-sponsored threat and orders authorities to install the security patches by February 27th.
As a Cisco advisory indicates, Catalyst SD-WAN Controller and Catalyst SD-WAN Manager are specifically affected by the attacks. Because a peering authentication mechanism does not function correctly (CVE-2026-20127 “critical” CVSS score 10 out of 10), attackers target vulnerable systems with special requests. If attacks are successful, they gain high-privilege access to instances and establish a foothold in networks.
In the advisory, Cisco lists Indicators of Compromise that admins can use to identify already attacked systems. Due to the severity, even some versions no longer in support, such as 20.11, are receiving security updates. However, for releases prior to 20.9, an upgrade is necessary to receive security patches. The following versions are protected against the described attack:
- 20.12.6.1
- 20.12.5.3
- 20.15.4.2
- 20.18.2.1
Version 20.9.8.2 is scheduled for release on February 27th.
Videos by heise
Further Dangers
If attackers exploit five additional “critical” vulnerabilities (e.g., CVE-2026-20122) in Catalyst SD-WAN, they can gain root privileges and compromise systems. Furthermore, Nexus 3600 and 9000, NX-OS, and UCS are also vulnerable, among others. This can lead to DoS conditions, among other issues. The network equipment provider lists further information on the vulnerabilities and security updates in the security section of its website.
(des)
