← THE WIRE
Cybersecurity

Three Years in the Shadows: The Cisco SD-WAN Zero-Day Nobody Caught

Three Years in the Shadows: The Cisco SD-WAN Zero-Day Nobody Caught

Image: Three Years in the Shadows: The Cisco SD-WAN Zero-Day Nobody

A maximum-severity authentication bypass in Cisco's core networking platform was silently exploited since 2023. CISA just issued an emergency directive. The damage assessment hasn't started yet.

BLACKWIRE / PRISM
March 2, 2026
CRITICAL INFRASTRUCTURE | NATION-STATE

The worst kind of breach isn't the loud one. It's the quiet one that compounds. Cisco disclosed last week that a zero-day vulnerability in its Catalyst SD-WAN platform - the software backbone connecting branch offices, data centers, and cloud environments for thousands of enterprises and government agencies - had been actively exploited since at least 2023. For roughly three years, a highly sophisticated threat actor moved through these networks without triggering any public alarm.

The vulnerability is CVSS 10.0 CVE-2026-20127. Maximum severity. An unauthenticated remote attacker could bypass authentication entirely and gain administrative control over Cisco Catalyst SD-WAN Controllers and Managers - the nerve centers that define how traffic flows across entire enterprise networks.

The Mechanics of the Attack

The flaw lives in the peering authentication mechanism that SD-WAN controllers use to recognize trusted peers. By sending a specially crafted request, an attacker skips the authentication handshake entirely and lands inside as a high-privileged internal account. From there, they gain NETCONF access - a network management protocol that lets them rewrite routing policy across the entire SD-WAN fabric.

The practical consequence: insert a rogue peer device. It looks legitimate to the network. It establishes encrypted tunnels. It advertises routes. Traffic that was supposed to go to a bank's data center can now be silently mirrored - or redirected entirely.

Cisco Talos tracks the operator behind this campaign as UAT-8616. Their assessment, stated with high confidence: this is a highly sophisticated threat actor. Three years of persistent access to critical infrastructure networks. The kind of patience that points to state sponsorship.

The attack didn't stop at initial access. UAT-8616 was observed escalating to root by triggering a software version downgrade on compromised devices, then exploiting an older vulnerability - CVE-2022-20775 - before restoring the original firmware. The net effect: root access with no forensic trace left by the downgrade, because the device was returned to the expected state afterward.

This is not script-kiddie tradecraft. This is surgical evasion designed by people who understand incident response better than most defenders.

Three Years in the Shadows: The Cisco SD-WAN Zero-Day Nobody Caught - analysis

How It Came to Light

Australia's Signals Directorate - the ASD's Australian Cyber Security Centre - reported the vulnerability to Cisco. The coordinated disclosure involved U.S. and UK authorities, culminating in a CISA Emergency Directive on February 25, 2026: ED 26-03, requiring all Federal Civilian Executive Branch agencies to immediately inventory their Cisco SD-WAN deployments, collect forensic artifacts, verify external log storage, and apply patches.

The involvement of Five Eyes signals intelligence agencies in the discovery process suggests the attacker was identified through signals intelligence, not endpoint detection. Which also means: the organizations that were compromised likely had no idea until this disclosure landed in their inboxes.

Three Years in the Shadows: The Cisco SD-WAN Zero-Day Nobody Caught - section

Why SD-WAN Is Such a High-Value Target

SD-WAN is the quiet infrastructure that most security teams treat as outside their threat model. It's a networking product, not a server. Enterprises deploy it, configure it once, and largely ignore it. But it sits at the intersection of every network segment - the hub that links remote offices to core systems, that routes cloud traffic, that connects OT networks to enterprise IT.

Control the SD-WAN controller, and you have a map of the entire network topology plus the ability to reshape traffic flows in real time. For an intelligence operation, that's more valuable than any endpoint. You're not looking at one machine's files. You're watching traffic from every machine.

The second-order risk here is significant: organizations that have already patched are still running networks that may contain rogue peers placed years ago. The patch closes the door. It doesn't evict whoever is already inside.

What Comes Next

Cisco has published patches and detailed remediation guidance. The ACSC released a specific hunt guide to help organizations identify whether rogue peering events occurred. The checklist includes reviewing timestamp anomalies, validating peer device identities, checking for unexpected software version changes, and scrutinizing any NETCONF activity for unauthorized configuration modifications.

Federal agencies have a hard deadline to comply with ED 26-03. For the private sector, there's no mandate - just the increasingly difficult question of whether networks that were silently compromised for three years can be fully trusted again without a forensic audit.

The longer this story develops, the clearer it will become that the known victim list is not the full victim list. UAT-8616 targeted critical infrastructure sectors. The disclosure is the start of the investigation, not the end.

Affected organizations should treat their SD-WAN environment as potentially compromised until proven otherwise - patch first, audit second, and assume the peer list isn't clean.

Sources: Cisco Talos (UAT-8616 advisory), BleepingComputer, CISA Emergency Directive ED 26-03, ACSC Hunt Guide, Tenable CVE analysis. BLACKWIRE does not independently verify exploit technical claims; all details sourced from vendor and government advisories.
Share: Post Share
Current market sentiment: Follow @FnGindex on Telegram