Cisco SD-WAN: 7 Zero-Days, 2 at CVSS 10 [2026]

Cisco’s flagship enterprise networking platform is enduring one of the worst years on record. In mid-June 2026, the company disclosed and patched CVE-2026-20262, an actively exploited file-write flaw in Catalyst SD-WAN Manager that lets an authenticated attacker overwrite any file on the box and climb to root. It was the seventh Catalyst SD-WAN CVE that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged as exploited in 2026 – and the second added to its Known Exploited Vulnerabilities catalog in June alone. For a product that sits in the network core of banks, hospitals, telecoms, and government agencies, that cadence is alarming.

The through-line is a single, sustained campaign. Since early 2026, a threat actor that Cisco Talos tracks as UAT-8616 has been chaining a family of Catalyst SD-WAN flaws – anchored by two maximum-severity, CVSS 10.0 authentication bypasses – to seize administrative control of internet-facing management planes. This news analysis breaks down every confirmed Cisco SD-WAN vulnerability exploited this year, who is behind the attacks, why CISA issued an emergency directive, how exposed the installed base really is, and what enterprise security teams should do before the next zero-day lands. Every figure below is drawn from Cisco’s own advisories, Cisco Talos, Rapid7, Tenable, and CISA reporting.

Google · Preferred Sources

Don't miss new tech stories on Google

Add Tech Insider once in the Google app and our stories appear in your news suggestions.

Add Now

Cisco SD-WAN’s Seventh Zero-Day of 2026: CVE-2026-20262

The latest link in the chain, CVE-2026-20262, is a path-traversal and arbitrary file-write bug in the web UI of Cisco Catalyst SD-WAN Manager (the product formerly branded vManage). Cisco rates it CVSS 6.5, “Medium,” but the score understates the danger: an authenticated remote attacker can send a crafted HTTP request to an affected API endpoint, create or overwrite any file on the underlying operating system, and use that primitive to escalate to root on the management plane. In practice, “authenticated” is a low bar in this campaign, because attackers already hold two unauthenticated bypasses that hand them a valid session.

Cisco’s Product Security Incident Response Team (PSIRT) said it discovered the issue during internal security testing and became aware of “limited exploitation” in June 2026. CISA added the flaw to its Known Exploited Vulnerabilities catalog on June 15, 2026, setting a federal remediation deadline of June 29, 2026 under Binding Operational Directive 22-01. Security outlet TechTimes labeled it the “seventh zero-day of 2026” for the platform; SecurityWeek had called the prior June flaw “the sixth exploited in 2026.” Both counts trace to the same enumerable list of Catalyst SD-WAN CVEs that CISA has now marked as exploited this year.

Only a week earlier, Cisco had patched CVE-2026-20245 (CVSS 7.8), a command-injection bug in the CLI of the Controller, Manager, and Validator that also yields arbitrary command execution as root. That one requires network-administrator privileges – or the successful prior exploitation of one of the two authentication bypasses. CISA added CVE-2026-20245 to the KEV catalog on June 9, 2026. Two root-level privilege escalations in one month, riding on top of two unauthenticated bypasses, is exactly the toolkit a persistent intruder wants.

The Two CVSS 10.0 Authentication Bypasses at the Core

Every serious intrusion in this campaign starts with one of two maximum-severity flaws. Both are authentication bypasses in Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage), both carry a CVSS score of 10.0, and both let an unauthenticated, remote attacker obtain administrative privileges without a single valid credential. They are the “front door” of the entire operation – and once through it, the attacker chains the lower-severity file-write and command-injection bugs to deepen access and reach root.

The first, CVE-2026-20127, surfaced in February 2026. According to The Hacker News, forensic evidence showed the bug had been exploited quietly since 2023 – meaning attackers held a working, unauthenticated path to admin on Cisco’s SD-WAN brain for the better part of three years before it was publicly disclosed. CISA added it to the KEV catalog on February 25, 2026, does not accompany an older privilege-escalation flaw, CVE-2022-20775, as this CVE does not exist in public records; the described flaw abused via a software-version downgrade trick to reach root is unverified and likely confused with other CVEs.

The second bypass, CVE-2026-20182, was disclosed in May 2026 by researchers at Rapid7, who traced its abuse to the same intrusion set. As Rapid7’s analysis framed it, the authentication bypasses are the front door, and once threat actors are through, they chain additional vulnerabilities to deepen their access. CISA added CVE-2026-20182 to the KEV catalog on May 14, 2026, gave federal agencies a three-day window (a May 17 deadline), and issued Emergency Directive 26-03 – a step CISA reserves for the most acute, actively exploited threats to federal networks.

How UAT-8616 Chains the Flaws to Root

The attack pattern is a textbook privilege-escalation chain. Step one: exploit CVE-2026-20127 or CVE-2026-20182 to bypass authentication and land as an administrator on an internet-facing Controller or Manager. Step two: pivot from admin to root using a file-write primitive (CVE-2026-20262), a command-injection primitive (CVE-2026-20245), or the version-downgrade abuse of CVE-2022-20775. Step three: establish persistence. Per Cisco Talos, UAT-8616’s post-compromise activity includes SSH key injection, NETCONF configuration manipulation, malicious account creation, and extensive log clearing to frustrate incident responders. The result is a durable, root-level foothold on the device that orchestrates an entire SD-WAN fabric.

A Timeline of Every Cisco SD-WAN Vulnerability Exploited in 2026

The single clearest way to grasp the scale of this year’s campaign is to line up the CVEs by the date CISA confirmed active exploitation. Seven Catalyst SD-WAN vulnerabilities bearing 2026 identifiers have been added to the KEV catalog, plus the older CVE-2022-20775 that UAT-8616 repurposed. Cisco’s exposure now spans 15 SD-WAN CVEs on the KEV list overall, according to reporting by Tenable and SecurityWeek. The table below tracks each 2026 flaw, its severity, and the impact.

CVECVSSType / impactAffected componentCISA KEV date
CVE-2026-2012710.0Authentication bypass → admin (unauthenticated)Controller + ManagerFeb 25, 2026
CVE-2022-207757.8CLI path traversal → privilege escalation (root via downgrade)Controller / ManagerFeb 25, 2026
CVE-2026-201337.5Information disclosureManagerApr 20, 2026
CVE-2026-201287.5Credential accessManagerApr 20, 2026
CVE-2026-201225.4Arbitrary file overwriteManagerApr 20, 2026
CVE-2026-2018210.0Authentication bypass → admin (unauthenticated)Controller + ManagerMay 14, 2026
CVE-2026-202457.8Command injection → arbitrary commands as rootController / Manager / ValidatorJun 9, 2026
CVE-2026-202626.5Arbitrary file write → root privilege escalationManager (web UI)Jun 15, 2026

Read top to bottom, the pattern is unmistakable: two unauthenticated CVSS 10.0 bypasses bracket a cluster of lower-severity information-disclosure, credential-access, and file-manipulation bugs, with two fresh root-escalation flaws landing in June. This is not a scattering of unrelated bugs – it is an exploitation ecosystem built around one product line, and it explains why the Cisco SD-WAN vulnerability story has dominated enterprise-security headlines for five straight months.

Who Is UAT-8616? Critical-Infrastructure Targeting and ORB Networks

Cisco Talos describes UAT-8616 as a “highly sophisticated” threat actor whose activity against Catalyst SD-WAN traces back at least to 2023. The group concentrates on critical-infrastructure (CI) sectors – the kind of high-value targets where a single compromised Controller can expose an entire distributed network of branch sites. Talos notes that UAT-8616’s infrastructure overlaps with monitored Operational Relay Box (ORB) networks, a hallmark of state-aligned operations that route intrusions through pools of compromised routers and edge devices to blur attribution and geography.

That profile matters. Network-edge devices are the crown jewels for espionage-focused actors because they are always on, rarely rebooted, poorly monitored by endpoint tooling, and positioned to see traffic in transit. UAT-8616 fits the mold: it does not smash and grab. It burrows in, escalates to root, injects SSH keys, quietly manipulates configuration through NETCONF, and clears logs – the behavior of an actor optimizing for long-term, stealthy presence rather than a quick payout. When a management appliance controls routing policy for hundreds of remote sites, that persistence is a strategic asset, not just a breached server.

UAT-8616 is not alone in the wild, either. After proof-of-concept code for the flaws circulated in early 2026, Talos observed roughly ten additional activity clusters piling onto the same vulnerabilities. Those opportunistic operators are less disciplined – and, in some ways, noisier and more destructive – which is precisely why a single unpatched Cisco SD-WAN vulnerability now attracts both nation-state and commodity attackers at once.

The Post-Exploitation Playbook: Webshells, Miners, and Log Wiping

Once attackers are on the box, the payloads diverge sharply by operator. The disciplined UAT-8616 activity leans toward persistence and stealth. The roughly ten copycat clusters, by contrast, have deployed a grab-bag of commodity tooling: open-source and semi-commercial webshells such as Godzilla, Behinder, and XenShell; red-team command-and-control frameworks including AdaptixC2 and Sliver; cryptocurrency miners like XMRig; and credential stealers aimed at harvesting whatever secrets the management plane can reach. In other words, the same unauthenticated bypass that a spy agency uses for quiet reconnaissance is simultaneously being used to mine cryptocurrency on enterprise iron.

The log-clearing behavior deserves special attention. Because Catalyst SD-WAN Manager is the audit and telemetry hub for the fabric it controls, an attacker with root can not only cover local tracks but also tamper with the record of what happened across the network. That converts a device compromise into an evidence problem: incident responders arriving after the fact may find the very logs they need to scope the breach already wiped. For regulated sectors with breach-notification obligations, that uncertainty can be as costly as the intrusion itself.

CISA Steps In: Emergency Directive 26-03 and the June Deadlines

The U.S. government’s response escalated in lockstep with the campaign. In late February 2026, CISA and international partners published joint guidance on the ongoing global exploitation of Cisco SD-WAN systems, urging operators to inventory, patch, and hunt for compromise. When CVE-2026-20182 landed in May with active exploitation, CISA went further and issued Emergency Directive 26-03, compelling Federal Civilian Executive Branch (FCEB) agencies to identify all Cisco SD-WAN instances in their environments, apply Cisco’s fixed releases, and assess whether they had already been breached.

Emergency Directives are rare. CISA has reserved the mechanism for the highest-tempo threats – the kind where a widely deployed product is being actively exploited across sectors and delay measurably raises national risk. Putting Catalyst SD-WAN in that category alongside past emergency actions signals how seriously Washington views a compromise of enterprise routing infrastructure. The June cadence reinforced the point: CVE-2026-20245 hit the KEV catalog on June 9, and CVE-2026-20262 followed on June 15 with a June 29, 2026 remediation deadline for federal agencies under BOD 22-01.

KEV deadlines are binding only on federal agencies, but they function as a de facto clock for the private sector. Cyber-insurers, auditors, and enterprise risk teams increasingly treat “on the KEV list” as the trigger for emergency patching, because it is CISA’s public confirmation that a flaw is not theoretical but is being used against real victims right now. For any organization running an internet-reachable Cisco SD-WAN vulnerability unpatched past those dates, the compliance and liability exposure compounds daily.

How Exposed Is the Cisco SD-WAN Fleet?

Here the numbers offer a rare piece of good news. Researchers tracking the campaign, drawing on Censys internet-scan data, have put the count of publicly reachable Catalyst SD-WAN instances in the low hundreds – roughly 450 to 550 exposed systems. That is a small attack surface compared with, say, the tens of thousands of internet-facing firewalls hit by other 2026 campaigns. Best practice has always been to keep SD-WAN Manager and Controller off the public internet, restricted to management VLANs and VPNs, and most disciplined operators do exactly that.

But the low exposure count is cold comfort for two reasons. First, the targets that do expose these systems skew toward large, distributed enterprises and critical-infrastructure operators – precisely the victims UAT-8616 wants. A few hundred boxes that each govern hundreds of branch sites is a very different risk than a few hundred random web servers. Second, an authentication bypass plus a root escalation means an attacker who breaches even one management plane can push malicious configuration to every device in the fabric. The blast radius per compromise is enormous, which is why CISA treated a few hundred exposed systems as an emergency rather than a rounding error.

The remediation itself is straightforward, and Cisco has shipped fixed software for every affected train. The table below maps the vulnerable releases to their patched counterparts for the two June root-escalation flaws (CVE-2026-20245 and CVE-2026-20262), which share the same version matrix.

Release trainVulnerable version (and earlier)First fixed release
20.920.9.9.120.9.9.2
20.1220.12.7.120.12.7.2
20.15 (train A)20.15.4.420.15.4.5
20.15 (train B)20.15.5.220.15.5.3
20.1820.18.320.18.3.1
26.126.1.1.126.1.1.2

Administrators can confirm their running version and cross-check it against the fixed releases before validating the patch. Cisco’s advisories for CVE-2026-20262 and CVE-2026-20245 are the authoritative source for the exact upgrade path per deployment.

# On Catalyst SD-WAN Manager, confirm the running version
show version

# Compare against the first fixed release for your train, e.g. 20.12.7.2.
# If the Manager or Controller web UI / API is reachable from the
# public internet, treat patching as time-sensitive and restrict
# management access to a VPN or dedicated management VLAN.

Market Impact: What the SD-WAN Campaign Means for Enterprises and Cisco

For enterprises, the immediate impact is operational: emergency change windows, out-of-cycle patching of core routing infrastructure, and compromise assessments on devices that are notoriously hard to forensically image. Catalyst SD-WAN is not a peripheral appliance; it is the control plane that decides how traffic flows between headquarters, branches, data centers, and cloud. Rebooting or reimaging it is a business-continuity event, which is exactly why attackers value it and why defenders dread patching it under duress.

For Cisco, the reputational stakes are real but nuanced. The company earns credit for shipping timely fixes, publishing detailed advisories, and – in the case of CVE-2026-20262 – surfacing the flaw through its own internal testing. Talos’s transparency about UAT-8616 is genuinely useful threat intelligence. Yet a seven-CVE year on a single flagship product, including two unauthenticated CVSS 10.0 bypasses and evidence of exploitation dating to 2023, invites hard questions about the security posture of the management plane and the pace of secure-by-design improvements. Enterprise buyers evaluating SD-WAN renewals in 2026 will weigh that track record against the switching costs of migrating a network core.

The broader market signal is that network infrastructure has become the single most contested battleground in enterprise security. As endpoint detection and response has matured on laptops and servers, sophisticated actors have shifted to the devices EDR does not run on: routers, firewalls, VPN concentrators, and SD-WAN controllers. That shift is reshaping security budgets toward network-device patch management, configuration integrity monitoring, and management-plane isolation – categories that were an afterthought for many organizations just two years ago.

Historical Context: ArcaneDoor, Salt Typhoon, and the Edge-Device Era

The UAT-8616 campaign is not an aberration; it is the latest chapter in a multi-year assault on Cisco’s network hardware by advanced actors. In late 2023, Cisco Talos disclosed ArcaneDoor, in which an actor it tracks as UAT4356 (Microsoft’s Storm-1849) deployed custom backdoors against Cisco Adaptive Security Appliance and Firepower Threat Defense perimeter devices at a select set of government and critical-infrastructure targets. It was one of the first widely documented cases of an espionage group building bespoke implants specifically for enterprise network gear.

Then came Salt Typhoon – tracked by Recorded Future as RedMike – a Chinese state-sponsored group that, between December 2024 and January 2025, attempted to exploit more than 1,000 internet-facing Cisco devices. RedMike chained CVE-2023-20198 and CVE-2023-20273 in Cisco IOS XE to gain root and burrowed into telecommunications providers across the United States, a U.K.-affiliated carrier, South Africa, Italy, and Thailand – compromising at least seven Cisco devices tied to telecom networks. Salt Typhoon’s campaign against U.S. telecoms became a national-security scandal and a catalyst for regulatory scrutiny of network-device security.

Seen against that backdrop, UAT-8616’s Catalyst SD-WAN campaign is the continuation of a clear strategy: own the network’s edge and control plane, and everything downstream becomes visible and manipulable. The specific product changes – ASA in 2023, IOS XE routers in 2024–25, SD-WAN Manager in 2026 – but the target category does not. Enterprise networking equipment has become the persistent, high-value objective of the most capable adversaries on the planet.

How the Cisco SD-WAN Vulnerability Compares to 2026’s Other Edge Exploits

The Cisco SD-WAN campaign lands in a year already defined by edge-device zero-days. It shares DNA with several other 2026 stories, but the specifics differ in instructive ways. The comparison below situates the Catalyst SD-WAN flaws against three other high-profile enterprise exploits covered this year.

CampaignProduct classTop severityDistinctive risk
Cisco Catalyst SD-WAN (UAT-8616)SD-WAN control planeCVSS 10.0 (2 bypasses)Root on the fabric controller; config push to all sites
NetScaler “CitrixBleed” successorADC / gatewayCriticalSession-token theft, MFA bypass at the perimeter
FortiBleed (Fortinet)Next-gen firewallCredential exposureTens of thousands of exposed firewalls at scale
SharePoint RCE (CVE-2026-45659)Collaboration serverCVSS 8.8Unauthenticated RCE into internal document stores

The unifying theme across all four is the collapse of the perimeter as a defensible boundary. Whether the entry point is a firewall (Fortinet’s FortiBleed), a gateway (the NetScaler CitrixBleed successor), a collaboration server (the July SharePoint RCE), or an enterprise-software zero-day (the ShinyHunters Oracle PeopleSoft breach), the pattern is the same: internet-facing infrastructure is being weaponized faster than organizations can patch it. What sets the Cisco SD-WAN vulnerability apart is the leverage – compromising one management plane can silently reconfigure an entire distributed network.

What Security Teams Should Do Now

The remediation priorities are clear, and they extend beyond simply installing the patch. Security teams running Catalyst SD-WAN should act on the following, in order:

  1. Patch immediately to the fixed releases in the version table above – 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2, depending on your train.
  2. Get management planes off the public internet. Restrict Manager and Controller web UI and API access to VPNs and dedicated management VLANs; never expose them directly.
  3. Hunt for compromise, not just vulnerability. Because exploitation dates to 2023, patching alone is insufficient. Look for unexplained SSH keys, new local accounts, NETCONF configuration changes, and gaps in logs.
  4. Rotate credentials and keys reachable from the management plane, on the assumption that a pre-patch compromise may have exposed them.
  5. Instrument the network edge. Feed device and management-plane telemetry into a SIEM and alert on the specific post-exploitation behaviors Talos documented.

For teams building out that detection capability, an open-source SIEM such as Wazuh can centralize device logs and flag anomalous configuration changes, while a collaborative intrusion-prevention layer like CrowdSec can help block the scanning and exploitation traffic that precedes a breach. Neither replaces patching, but both shorten the window between compromise and detection – the metric that ultimately decides how bad a network-edge intrusion becomes.

5 Predictions for Cisco SD-WAN and Edge Security Through 2026

Based on the trajectory of the UAT-8616 campaign and the broader edge-device threat landscape, here is where this is likely headed for the rest of 2026:

  • More SD-WAN CVEs are coming. Sustained researcher and attacker attention on a single codebase historically surfaces additional flaws; expect the 2026 KEV tally for Catalyst SD-WAN to keep climbing past seven.
  • Copycat exploitation will intensify. With proof-of-concept code public, the roughly ten commodity clusters already active will be joined by more opportunistic operators deploying miners and webshells against unpatched systems.
  • CISA will lean harder on edge-device directives. Expect additional emergency directives and shorter KEV deadlines for network infrastructure, plus growing pressure on vendors for secure-by-design commitments.
  • Attribution will sharpen toward state-aligned activity. The ORB-network overlap and multi-year persistence point toward continued reporting linking UAT-8616-style operations to state-sponsored espionage.
  • Management-plane isolation becomes a compliance baseline. Auditors and cyber-insurers will increasingly treat internet-exposed SD-WAN and firewall management interfaces as a findable, penalizable deficiency rather than a mere best practice.

Related Coverage

Frequently Asked Questions

What is the latest Cisco SD-WAN vulnerability in 2026?

The most recent is CVE-2026-20262, an arbitrary file-write flaw (CVSS 6.5) in the web UI of Cisco Catalyst SD-WAN Manager that lets an authenticated attacker overwrite files and escalate to root. Cisco patched it in mid-June 2026, and CISA added it to the Known Exploited Vulnerabilities catalog on June 15, 2026, does not have a federal patch deadline of June 29, 2026 under BOD 22-01, as no such directive or deadline exists in public records.

How many Cisco SD-WAN zero-days have been exploited in 2026?

Seven Catalyst SD-WAN CVEs bearing 2026 identifiers have been added to CISA’s KEV catalog as exploited this year – CVE-2026-20127, -20128, -20122, -20133, -20182, -20245, and -20262 – plus the older CVE-2022-20775 that the same actor abuses. SecurityWeek called the June 9 flaw the “sixth exploited in 2026,” and the June 15 flaw was reported as the seventh.

Which CVEs carry the maximum CVSS 10.0 score?

Two do: CVE-2026-20127 (disclosed February 2026) and CVE-2026-20182 (disclosed May 2026). Both are unauthenticated authentication bypasses in the Catalyst SD-WAN Controller and Manager that grant administrative privileges without valid credentials. They are the entry points that attackers chain with the lower-severity root-escalation flaws.

Who is behind the Cisco SD-WAN attacks?

Cisco Talos attributes the core campaign to a highly sophisticated threat actor tracked as UAT-8616, whose activity dates to at least 2023 and whose infrastructure overlaps with Operational Relay Box networks associated with state-aligned operations. After proof-of-concept code became public, roughly ten additional, more opportunistic clusters began exploiting the same flaws.

How many Cisco SD-WAN systems are exposed to the internet?

Researchers using Censys internet-scan data have counted roughly 450 to 550 publicly reachable Catalyst SD-WAN instances – a relatively small attack surface. However, the exposed systems skew toward large enterprises and critical-infrastructure operators, and each compromised management plane can push configuration to an entire distributed network, so the per-incident blast radius is severe.

Is patching enough to remediate the Cisco SD-WAN vulnerability?

No. Because exploitation dates back to 2023, organizations must assume pre-patch compromise is possible. In addition to upgrading to the fixed release for their train, teams should hunt for injected SSH keys, rogue accounts, NETCONF changes, and cleared logs; rotate exposed credentials; and move Manager and Controller management interfaces off the public internet behind a VPN or management VLAN.

What is CISA Emergency Directive 26-03?

Emergency Directive 26-03 is the order CISA issued in May 2026 in response to active exploitation of CVE-2026-20182. It compels U.S. federal civilian agencies to inventory their Cisco SD-WAN systems, apply Cisco’s fixed software, and assess whether they were already compromised. Emergency Directives are reserved for the most acute, actively exploited threats to federal networks.

Sofia Lindström

Sofia Lindström

Editor-in-Chief

Sofia Lindström is the Editor-in-Chief at Tech Insider, where she leads editorial strategy and oversees coverage across AI, cybersecurity, and enterprise technology. With over a decade in Swedish tech journalism, she previously served as technology editor at Dagens Industri and covered the Nordic startup ecosystem for Breakit. Sofia holds an MSc in Media Technology from KTH Royal Institute of Technology and is a frequent speaker at Web Summit and Slush. She is passionate about making complex technology accessible to business leaders.

View all articles