A coordinated global campaign targeting Cisco SD-WAN environments has been identified by CISA, NSA, and international partners. Threat actors are actively exploiting a chain of vulnerabilities, most notably CVE-2026-20127 (authentication bypass) and CVE-2022-20775 (privilege escalation), to gain initial access, escalate privileges, and establish persistent footholds in enterprise networks.
Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in real-world attacks.
Technical Overview
CVE-2026-20127 enables attackers to bypass authentication mechanisms on Cisco SD-WAN controllers, effectively granting access to management interfaces without valid credentials. This type of vulnerability is particularly dangerous because it removes the need for phishing, credential theft, or brute force techniques, allowing direct entry into critical infrastructure.
Once access is established, CVE-2022-20775 is used to escalate privileges within the environment. This flaw is associated with insufficient authorization controls between different privilege contexts within the system, allowing attackers to move from initial foothold to full administrative control. With that level of access, they can modify configurations, create accounts, and embed persistence mechanisms within the SD-WAN control plane.
The combination of these two vulnerabilities creates a highly effective attack chain that is both low-friction and high-impact.
Attack Chain Analysis
Observed threat activity follows a structured and effective sequence:
- Initial Access
- Exploitation of CVE-2026-20127 to bypass authentication
- Exploitation of CVE-2026-20127 to bypass authentication
- Privilege Escalation
- Use of CVE-2022-20775 to gain administrative control
- Use of CVE-2022-20775 to gain administrative control
- Persistence Establishment
- Modification of configurations or credentials
- Potential deployment of backdoors or rogue accounts
- Modification of configurations or credentials
- Post-Exploitation Activity
- Network reconnaissance
- Lateral movement across connected environments
- Long-term persistence within SD-WAN control plane
- Network reconnaissance
Affected Environments
Organizations using Cisco Catalyst SD-WAN solutions are most at risk, particularly where management interfaces are exposed or not adequately restricted. Environments that have not applied recent security updates or lack centralized logging and monitoring are especially vulnerable to undetected compromise.
Recommended Mitigations
Organizations should take immediate action to reduce exposure and assess potential compromise:
- Apply all available patches and updates for Cisco SD-WAN systems
- Inventory all SD-WAN assets and identify exposed management interfaces
- Collect logs, configurations, and system snapshots to support threat hunting
- Conduct a thorough review for indicators of compromise across network and identity telemetry
Stay Safe. Stay Secure
OP Innovate Research Team
