Researchers with Cisco Systems’ Talos threat intelligence unit as well as cybersecurity agencies in the United States and elsewhere are warning organizations about an advanced threat actor exploiting a now-patched zero-day vulnerability in the networking giant’s Catalyst SD-WAN (software-defined WAN) Controller.

Talos researchers identified the attacker as UAT-8616, describing them as a “highly sophisticated cyber threat actor” that has been exploiting the security flaw since at least 2023. They also noted in an alert that “UAT-8616’s attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high value organizations including Critical Infrastructure (CI) sectors.”

The Talos alert came out the same day as similar notices from members of the Five Eyes cybersecurity alliance, including CISA in the United States, the UK’s National Cyber Security Centre (NCSC), and Australia’s Cyber Security Centre.

There are two vulnerabilities involved with the threat activity, according to Talos researchers, CVE-2026-20127 and CVE-2022-20775. An investigation by Talos and others “identified that the actor likely escalated to root user via a software version downgrade. The actor then reportedly exploited CVE-2022-20775 before restoring back to the original software version, effectively allowing them to gain root access.”

According to CISA, the first flaw lets an unauthenticated remote actor to bypass authentication and gain administrative privileges on a compromised system. The second is a path traversal vulnerability that allows an authenticated but local attacker to get elevated privileges and execute arbitrary commands as root, which means they can bypass all security restrictions and gain full and unrestricted control over the operating system.

U.S. Agencies Told to Inventory Devices

CISA is ordering federal agencies running networks and third parties that run them for the government to identify all the vulnerable Cisco systems – the Catalyst SD-WAN Manager (formerly SD-WAN vManage) and Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and to apply Cisco’s updates to them.

In its own alert, Cisco wrote that the “vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account.

Through this account, an attacker could manipulate the network configuration for the SD-WAN fabric.”

The Hunt Guide

The Five Eyes agencies also released a 40-page Hunt Guide to help organizations detect and remediate the threat.

In the Hunt Guide, they describe a flaw that “allowed a malicious cyber actor to create a rogue peer joined to the network management plane, or control plane, of an organization’s SD-WAN. The rogue device appears as a new but temporary, actor-controlled SD-WAN component that can conduct trusted actions within the management and control plane.”

According to the guide, after gaining initial access, the threat actor downgraded a vSmart controller to a version that had known local privilege escalation capabilities and that – after gaining privilege escalation and persistence as the user root – restored vSmart to the version it was running before being downgraded.

The attackers also took steps to evade detection, mostly by removing forensic artifacts on the host system, they wrote in the guide.

A Sophisticated Attack

Yagub Rahimov, co-founder and CEO of Polygraf AI, a startup that is building on-premises, zero-trust solutions for AI governance, said the vulnerability itself is worrisome, but it’s how UAT-8616 is exploiting it – from initial access to downgrading a compromised device to an earlier flaw – that should get the attention.

“Chaining it with an authentication bypass makes it into something different: a path to persistent root access across the entire SD-WAN fabric,” Rahimov said. “That transformation is the sophisticated part. The attacker didn’t just find a vulnerability, they mapped the target’s patch history, identified a flaw whose risk profile changes entirely when authentication is removed from the equation, and built a multi-stage campaign around that insight. This isn’t random exploitation. It’s deliberate infrastructure targeting.”

The ‘Blast Radius’

He added that “the blast radius compounds this.”

SD-WAN controllers manage the entire network fabric and having NETCONF (Network Configuration Protocol) access “means an attacker isn’t just on a device, they’re manipulating routing, segmentation, and configuration across the whole environment,” Rahimov said. “Root-level access through the privilege escalation chain then gives the attacker OS-level control over the device itself.”

This makes external logging as urgent as applying the patch. A threat actor operating at that level can tamper with whatever evidence remains on the device.

“Patch immediately to available versions,” he said. “Audit software versions across your entire fabric, not just recent deployments. The downgrade technique makes version consistency a security requirement. And if external logging isn’t already in place, treat it as equal priority to the patch itself.”