Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited

Exposure management company WatchTowr reports that a recent Cisco Catalyst SD-WAN vulnerability, initially exploited as a zero-day, is now being used more frequently by threat actors.

The in-the-wild exploitation of four Cisco Catalyst SD-WAN vulnerabilities came to light in recent weeks. One of them is CVE-2026-20127, which had been exploited as a zero-day in combination with an older vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on systems.

Cisco Talos linked the attacks to UAT-8616, a highly sophisticated threat actor of unspecified origin and motivation that has been active since at least 2023.

WatchTowr’s head of proactive threat intelligence, Ryan Dewhurst, told SecurityWeek that the pace of exploitation for CVE-2026-20127 has — unsurprisingly — escalated quickly.

“This is no longer targeted activity that was described previously, but now internet-wide and growing,” Dewhurst said.

“In total, the watchTowr proactive threat intelligence team has seen exploitation attempts from numerous unique IP ...