Active exploitation of Cisco Catalyst SD-WAN by UAT-8616
好的,我现在需要帮用户总结这篇文章的内容,控制在100字以内。首先,我得仔细阅读文章,抓住关键点。 文章主要讲的是Cisco Talos发现了一个新的漏洞CVE-2026-20127,影响Cisco Catalyst SD-WAN控制器。这个漏洞允许未经认证的远程攻击者绕过认证,获得管理员权限。Talos将这次攻击归类为UAT-8616,认为这是一个高度复杂的网络威胁行为者。 此外,攻击者利用了CVE-2022-20775漏洞,并通过降级软件版本来获取root权限。攻击活动可以追溯到三年前,这表明威胁持续存在。 最后,文章建议用户采取措施保护环境,并提供了检测和缓解的指导。 现在,我需要把这些信息浓缩到100字以内。要突出漏洞的影响、攻击者的复杂性、时间跨度以及建议措施。 </think> Cisco Talos发现针对Cisco Catalyst SD-WAN控制器的零日漏洞CVE-2026-20127被积极利用,允许未认证远程攻击者绕过认证并获取管理员权限。该活动被归类为UAT-8616,涉及复杂的网络威胁行为者,并可追溯至三年前。攻击者通过软件降级获取root权限,并利用CVE-2022-20775进一步扩大影响。建议用户遵循安全公告和加固指南以保护环境。 2026-2-25 16:18:45 Author: blog.talosintelligence.com(查看原文) 阅读量:8 收藏

Cisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected system by sending a crafted request to an affected system. Successful exploitation may allow the attacker to gain administrative privileges on the Controller as an internal, high privileged, non-root, user account.

Talos clusters this exploitation and subsequent post-compromise activity as “UAT-8616” whom we assess with high confidence is a highly sophisticated cyber threat actor. After the discovery of active exploitation of the 0-day in the wild, we were able to find evidence that the malicious activity went back at least three years (2023). Investigation conducted by intelligence partners identified that the actor likely escalated to root user via a software version downgrade. The actor then reportedly exploited CVE-2022-20775 before restoring back to the original software version, effectively allowing them to gain root access.

UAT-8616's attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high value organizations including Critical Infrastructure (CI) sectors.

Customers are strongly advised to follow the guidance published in the security advisories discussed below. Additional recommendations specific to Cisco are available here. Customers support is also available by initiating a TAC request.  Talos strongly recommends that customers and partners using Cisco Catalyst SD-WAN technology follow the steps outlined in this advisory to help protect their environments.

Initial Peering Event Analysis

The initial and most critical activity to look for is any control connection peering event identified in Cisco Catalyst SD-WAN logs, as this may indicate an attempt at initial access via CVE-2026-20127. All such peering events require manual validation to confirm their legitimacy, with particular focus on vManage peering types. Threat actors who compromise Cisco Catalyst SD-WAN infrastructure often establish unauthorized peer connections that may appear superficially normal but occur at unexpected times, originate from unrecognized IP addresses, or involve device types inconsistent with the environment's architecture. A comprehensive review process is essential to distinguish between legitimate network operations and potential indicators of compromise.

Validation Checklist Items Include

  • Verify the timestamp of each peering event against known maintenance windows, scheduled configuration changes, and normal operational hours for your environment.
  • Confirm the public IP address corresponds to infrastructure owned or operated by your organization or authorized partners by cross-referencing against asset inventories and authorized IP ranges.
  • Validate the peer system IP matches documented device assignments within your Cisco Catalyst SD-WAN topology.
  • Review the peer type (vmanage, vsmart, vedge, vbond) to ensure it aligns with expected device roles in your deployment.
  • Correlate multiple events from the same source IP or system IP to identify patterns of reconnaissance or persistent access attempts.
  • Cross-reference event timing with authentication logs, change management records, and user activity to establish whether the connection was initiated by authorized personnel.

Sample Log Entry

Feb 20 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanage peer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005 

Log Analysis

In the identified example, the peer-system-ip should be validated as matching the expected IP address schema in-use, the timestamp should be validated as matching any events which might cause a peering event to occur and the public-ip should be validated as being an expected source for a peering event.

Additional Investigative Guidance

The following may be high-fidelity indicators of a successful compromise by UAT-8616 in an SD-WAN infrastructure setup:

  • Creation, usage and deletion of malicious user accounts including otherwise absent bash_history and cli-history.
  • Interactive root sessions on production systems including unaccounted SSH keys, known hosts and bash history. For example:
    • Notification: system-login-change severity-level:minor host-name:"<node_name>" system-ip:<IP> user-name:""root""
    • SSH Keys in: /home/root/.ssh/authorized_keys with “PermitRootLogin” set to “yes” in /etc/ssh/sshd_config
    • Known hosts in: /home/root/.ssh/known_hosts
  • Unauthorized or unaccounted SSH keys (“authorized_keys”) for the “vmanage-admin” account: /home/vmanage-admin/.ssh/authorized_keys/
  • Abnormally small logs including absent or size 0/1/2 byte logs.
  • Evidence of log and history clearing or truncation including:
    • syslog
    • wtmp
    • lastlog
    • cli-history
    • bash_history
    • Logs residing in /var/log/
  • Presence of cli-history file for a user without the bash history.
  • Indications of unexplained peers being dropped or added to the environment.
  • Unexpected and unauthorized version downgrades and upgrades accompanied by a system reboot. For example (log entries):
    • Waiting for upgrade confirmation from user. Device will revert to previous software version <version> in '100' seconds unless confirmed.
    • Software upgrade not confirmed. Reverting to previous software version
  • Evidence of exploitation of CVE-2022-20775 such as specially crafted username path traversal string (E.g. “/../../” or “/\n&../\n&../”).

Recommendations

We strongly recommend that you perform the steps outlined in this document. Cisco has also published a hardening guide for Cisco Catalyst SD-WAN deployments located at https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide. It is strongly recommended that any customers who are utilizing the Cisco Catalyst SD-WAN technology follow the guidance provided in this hardening guide. We also recommend referring to advisories here and here and the Cisco Catalyst SD-WAN threat hunting guide released by our intelligence partners for additional detection guidance.

Talos Coverage

Talos is releasing the following Snort coverage for this threat and associated vulnerability:

  • 65938, 65958

文章来源: https://blog.talosintelligence.com/uat-8616-sd-wan/
如有侵权请联系:admin#unsafe.sh