Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild

The company’s announcement comes roughly a week after it warned customers that a criticalzero-day vulnerabilityaffecting Catalyst SD-WAN has been exploited in the wild.Tracked as CVE-2026-20127, that security hole can be exploited remotely to bypass authentication and obtain admin privileges on a vulnerable device.CISA and other cybersecurity agencies reported that CVE-2026-20127 has been chained with an older Catalyst vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on the targeted system.Cisco Talos linked those attacks to UAT-8616, a highly sophisticated threat actor that has been active since at least 2023.It’s unclear if all of these Catalyst SD-WAN vulnerabilities have been exploited in the same or different campaigns.Cisco also warned recently aboutzero-day attacksconducted by a China-linked APT tracked as UAT-9686.Related:Cisco Patches Critical Vulnerabilities in Enterprise Networking ProductsRelated:Cisco, F5 Patch High-Severity VulnerabilitiesRelated:Hackers Targeting Cisco Unified CM Zero-Day

Tracked as CVE-2026-20127, that security hole can be exploited remotely to bypass authentication and obtain admin privileges on a vulnerable device.CISA and other cybersecurity agencies reported that CVE-2026-20127 has been chained with an older Catalyst vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on the targeted system.Cisco Talos linked those attacks to UAT-8616, a highly sophisticated threat actor that has been active since at least 2023.It’s unclear if all of these Catalyst SD-WAN vulnerabilities have been exploited in the same or different campaigns.Cisco also warned recently aboutzero-day attacksconducted by a China-linked APT tracked as UAT-9686.Related:Cisco Patches Critical Vulnerabilities in Enterprise Networking ProductsRelated:Cisco, F5 Patch High-Severity VulnerabilitiesRelated:Hackers Targeting Cisco Unified CM Zero-Day

CISA and other cybersecurity agencies reported that CVE-2026-20127 has been chained with an older Catalyst vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on the targeted system.Cisco Talos linked those attacks to UAT-8616, a highly sophisticated threat actor that has been active since at least 2023.It’s unclear if all of these Catalyst SD-WAN vulnerabilities have been exploited in the same or different campaigns.Cisco also warned recently aboutzero-day attacksconducted by a China-linked APT tracked as UAT-9686.Related:Cisco Patches Critical Vulnerabilities in Enterprise Networking ProductsRelated:Cisco, F5 Patch High-Severity VulnerabilitiesRelated:Hackers Targeting Cisco Unified CM Zero-Day

Cisco Talos linked those attacks to UAT-8616, a highly sophisticated threat actor that has been active since at least 2023.It’s unclear if all of these Catalyst SD-WAN vulnerabilities have been exploited in the same or different campaigns.Cisco also warned recently aboutzero-day attacksconducted by a China-linked APT tracked as UAT-9686.Related:Cisco Patches Critical Vulnerabilities in Enterprise Networking ProductsRelated:Cisco, F5 Patch High-Severity VulnerabilitiesRelated:Hackers Targeting Cisco Unified CM Zero-Day

It’s unclear if all of these Catalyst SD-WAN vulnerabilities have been exploited in the same or different campaigns.Cisco also warned recently aboutzero-day attacksconducted by a China-linked APT tracked as UAT-9686.Related:Cisco Patches Critical Vulnerabilities in Enterprise Networking ProductsRelated:Cisco, F5 Patch High-Severity VulnerabilitiesRelated:Hackers Targeting Cisco Unified CM Zero-Day

Cisco also warned recently aboutzero-day attacksconducted by a China-linked APT tracked as UAT-9686.Related:Cisco Patches Critical Vulnerabilities in Enterprise Networking ProductsRelated:Cisco, F5 Patch High-Severity VulnerabilitiesRelated:Hackers Targeting Cisco Unified CM Zero-Day

Related:Cisco Patches Critical Vulnerabilities in Enterprise Networking ProductsRelated:Cisco, F5 Patch High-Severity VulnerabilitiesRelated:Hackers Targeting Cisco Unified CM Zero-Day

Related:Cisco, F5 Patch High-Severity VulnerabilitiesRelated:Hackers Targeting Cisco Unified CM Zero-Day

Related:Hackers Targeting Cisco Unified CM Zero-Day

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Source: SecurityWeek