The maximum-severity vulnerability CVE-2026-20127 was exploited by an unknown but sophisticated threat actor who left very little evidence behind.

DR (DZone Research) offers insights into software development trends, industry surveys, and technology adoption patterns, providing reports, whitepapers, and analyst insights to help businesses make informed decisions and stay competitive in the ever-evolving tech landscape. By exploring DR's curated content, developers can gain insights into emerging technologies, developer preferences, and industry best practices for building innovative and market-leading software solutions. Whether you're a startup founder, product manager, or tech executive, DR offers resources to guide your strategic planning and drive business success.

Dark Reading

Cisco has disclosed a maximum-severity authentication bypass zero-day (CVE-2026-20127, CVSS 10) in its Catalyst SD-WAN Controller that has been actively exploited for at least three years since 2023. The threat actor, tracked as UAT-8616, used the flaw to add rogue peers to SD-WAN management systems, then chained it with a software version downgrade to exploit a second older vulnerability (CVE-2022-20775) for local privilege escalation and root access. CISA issued an emergency directive requiring federal agencies to patch by Friday. The attacker left minimal forensic evidence and no C2 malware or lateral movement was observed. Nation-state actors including Salt Typhoon and Volt Typhoon are suspected given their history of targeting Cisco devices. Mitigations include patching, restricting internet exposure, disabling HTTP access to the admin portal, and enabling centralized logging.

Cisco SD-WAN Zero-Day Under Exploitation for 3 Years