Cisco Catalyst SD-WAN Under Active Exploitation: UAT-8616, vdaemon Auth Bypass, and the Firmware-Downgrade Persistence Trick

CVE-2026-20127 and CVE-2026-20182 give unauthenticated peers the keys to the SD-WAN fabric — and UAT-8616 has been weaponizing them since 2023, chaining downgrade-and-restore against the legacy CVE-2022-20775 to land persistent root on Catalyst SD-WAN Controllers worldwide.

Executive Summary

Cisco has confirmed two maximum-severity (CVSS 10.0) authentication bypass vulnerabilities in the Catalyst SD-WAN Controller and Manager — CVE-2026-20127 and the structurally related CVE-2026-20182, both in the vdaemon peering authentication path that listens on UDP/12346 over DTLS. An unauthenticated remote attacker can send a crafted peering request and become an authenticated SD-WAN peer with an internal high-privileged (non-root) account, then pivot through NETCONF to manipulate the SD-WAN fabric — redirecting, blocking, or intercepting traffic across the customer’s entire WAN.

The threat actor tracked as UAT-8616 has been operating this primitive since at least 2023, well before public disclosure. Operators don’t stop at admin-level peer status: they chain to the legacy CVE-2022-20775 by downgrading the controller to a vulnerable firmware revision, exploiting the older bug to obtain root, then restoring the original firmware to erase the forensic trail. CISA issued Emergency Directive ED 26-03 on February 2026, forcing federal agencies to inventory, collect forensic artifacts, patch, and hunt — with a hard external-log-storage deadline of 23:59 ET on 2026-02-26. Cisco PSIRT followed in March 2026 by confirming active exploitation of two additional Manager-side flaws (CVE-2026-20128, arbitrary file overwrite, and CVE-2026-20122, information disclosure). Rapid7 disclosed CVE-2026-20182 in May 2026 as a structurally distinct but functionally equivalent flaw in the same vdaemon stack — explicitly not a patch bypass of CVE-2026-20127, but a sibling defect that survives the first patch if not separately remediated.

Two CVSS 10.0 in One Service
vdaemon × 2
CVE-2026-20127 and CVE-2026-20182 are distinct flaws in the same DTLS peering path.
In-the-Wild Window
2023 → now
UAT-8616 exploitation predates disclosure by ~3 years.
Federal Action
ED 26-03
CISA mandate: inventory, forensic capture, patch, and hunt.

Technical Analysis

The Cisco Catalyst SD-WAN control plane uses a peer-authenticated overlay: the Controller (formerly vSmart) brokers routing and policy among edge devices, the Manager (formerly vManage) is the centralized administration surface for up to 6,000 devices per instance, and vBond handles initial zero-touch provisioning. All three speak to each other over DTLS on UDP/12346, with mutual authentication enforced by the vdaemon service. CVE-2026-20127 and CVE-2026-20182 both live in that mutual-auth path: a malformed peering request slips past the check and the attacker is welcomed in as a high-privileged internal account.

Root cause: vdaemon peering authentication malfunction

Per Cisco’s advisory, both vulnerabilities stem from “a malfunction of the peering authentication mechanism” — the validation that should reject an unauthenticated peer. Crafted requests over UDP/12346 (DTLS) cause the controller to register the attacker as a legitimate peer. Rapid7’s Jonah Burgess and Stephen Fewer, who discovered CVE-2026-20182, were explicit that it is “a different issue located in a similar part of the ‘vdaemon’ networking stack”not a patch bypass. That means organizations that applied the February 25 patch for CVE-2026-20127 are still exposed to CVE-2026-20182 until they install Cisco’s May 2026 software update.

Exploitation chain: peer in, NETCONF out, downgrade for root, restore to hide

The published behavior of UAT-8616 follows a deliberate sequence. The initial peer-in is an authentication bypass, not RCE; root and persistence come from chaining the new auth bypass to the older CVE-2022-20775 via a firmware downgrade. The restore step is the forensic-erasure stage:

UAT-8616 Exploitation Chain
From crafted UDP/12346 packet to persistent root with the original firmware restored
1. Peer-in over DTLSAttacker sends a crafted peering request to UDP/12346 on the Controller or Manager. The malformed packet trips the vdaemon auth bug (CVE-2026-20127 or -20182) and the attacker is registered as a legitimate SD-WAN peer with a high-privileged, non-root internal account.
2. NETCONF abuseThe new peer session is used to drive NETCONF against the SD-WAN fabric — rearranging route policy, adding a rogue peer that “appears as a new, temporary, and legitimate SD-WAN component” (per CISA), and advertising attacker-controlled networks.
3. Traffic manipulationWith route-policy control, the attacker redirects, blocks, or intercepts traffic across the customer’s WAN — including positioning the rogue peer to receive sensitive flows.
4. Firmware downgradeThe attacker uses the admin session to downgrade the Controller image to a build that still contains CVE-2022-20775 — an older privilege escalation flaw — opening the path to a full root shell.
5. Root via legacy CVECVE-2022-20775 is exploited on the downgraded image; the attacker obtains a root shell and writes persistence artifacts (SSH keys for vmanage-admin, modified configurations, attacker accounts).
6. Restore + log scrubThe attacker upgrades back to the original (patched-looking) firmware, then clears auth.log, command history, network connection history, and any local artifacts. The compromise persists in non-volatile config; the obvious forensic trail does not.

What the “rogue peer” primitive actually buys the attacker

CISA’s ED 26-03 articulates the critical secondary effect: “The threat actor-controlled rogue device appears as a new, temporary, and legitimate SD-WAN component. The rogue device can then conduct trusted actions within the management and control planes, allowing for privilege escalation and persistence.” Because the rogue peer is trusted by the fabric, every downstream edge device honors its policy advertisements — meaning a single Controller compromise hands the attacker an inline, vendor-blessed position in every branch and data-center site fed by that fabric. The exploitation primitive is unauthenticated; the post-exploitation primitive is a TLS-trusted, fully-authenticated rogue device that route engineers will not flag without specifically looking for it.

The companion Manager flaws (CVE-2026-20128 and CVE-2026-20122)

In March 2026, Cisco PSIRT updated the original advisory to confirm in-the-wild exploitation of two additional Manager-side vulnerabilities:

  • CVE-2026-20128 — high-severity arbitrary file overwrite in Catalyst SD-WAN Manager. Exploitable by a remote attacker who already holds valid read-only API credentials. Useful for tampering with stored configurations, planting persistence files, or corrupting backups before further action.
  • CVE-2026-20122 — medium-severity information disclosure, exploitable locally with valid vmanage credentials. Useful for reconnaissance and credential staging once a foothold exists.

Neither is a remote-unauthenticated win on its own, but both substantially expand the post-foothold toolkit. In an organization where CVE-2026-20127 or CVE-2026-20182 gave the attacker valid API access, CVE-2026-20128 effectively becomes a chained primitive for tamper and persistence.

Impact Assessment

The affected components — Catalyst SD-WAN Controller and Manager — sit at the apex of distributed enterprise WANs. A single Manager instance routinely administers up to 6,000 SD-WAN edge devices. Compromise of the Controller hands the attacker control over the policy distributed to every one of those devices, regardless of branch firewall configuration, regardless of edge device health, regardless of whether the branch has any local SOC visibility at all.

CISA and the UK NCSC issued a joint advisory characterizing the campaign as “global” in scope, with active rogue-peer additions observed in customer environments. Cisco identified UAT-8616 as “highly sophisticated”, and the firmware-downgrade-then-restore trick — rare in commodity intrusions — matches the operational tradecraft of a well-resourced state-aligned actor.

Defender Position
  • Known attack surface: a single service (vdaemon) on a single port (UDP/12346) — readily monitored or firewalled.
  • High-fidelity forensic indicators published by Cisco and CISA: auth.log public-key acceptance from unauthorized IPs, rogue peering events, downgrade-then-upgrade sequences.
  • ED 26-03 mandates the exact forensic capture and external log retention defenders need to detect this campaign — if they hadn’t already.
  • Cisco patches available; CISA requires fresh deployment from patched OVA/QCOW2 images for confirmed compromises, not just in-place upgrade.
Attacker Position
  • Unauthenticated remote primitive against a control plane that often has its management interface exposed to the internet.
  • Three-year head start: exploitation predates disclosure by ~3 years, with substantial dwell time in unmonitored environments.
  • Persistent root via downgrade-restore evades the obvious post-incident sweep of forensic artifacts.
  • Trusted rogue-peer status lets policy abuse cross every branch on the fabric without per-site exploitation.
Practical signal: If your Catalyst SD-WAN Manager interface (vmanage-admin login) has ever been reachable from the public internet, treat the deployment as scoped for compromise. Patch first, then hunt — do not assume absence of obvious post-exploitation artifacts means absence of compromise. UAT-8616’s downgrade-restore tradecraft is specifically designed to clean those artifacts.

Detection & Response

Detection sits across four telemetry sources: the controller’s own /var/log/auth.log, the SD-WAN peering audit, the firmware version event log, and network telemetry at the perimeter for UDP/12346. The rules below are illustrative Sigma and KQL forms tuned against the IOCs published by Cisco, CISA, NCSC, and Rapid7. Baseline against your authorized vmanage-admin source IPs and scheduled maintenance windows before deploying.

Indicators of Compromise (IOCs)

SD-WAN Compromise IOC Reference
Sourced from Cisco PSIRT, CISA ED 26-03, NCSC, and Rapid7 publications
Threat actorUAT-8616 — assessed sophisticated; active since at least 2023.
Exposed servicevdaemon over DTLS on UDP/12346.
CVE chainCVE-2026-20127 (CVSS 10.0) or CVE-2026-20182 (CVSS 10.0) → CVE-2022-20775 (root) via firmware downgrade. Manager-side: CVE-2026-20128, CVE-2026-20122.
auth.log signaturesshd[...]: Accepted publickey for vmanage-admin from <unknown-IP> port <port> ssh2: RSA SHA256:<key> from any IP that is not on your maintenance allowlist.
Peer-fabric signatureNew SD-WAN peer device appearing in fabric inventory with no corresponding change ticket; peer connection at unexpected times; peer originates from an unrecognized public IP or has a device type inconsistent with the rest of the fabric.
Firmware-tamper signatureController firmware version transitions: downgrade → upgrade-back-to-original sequence within a short window with no change ticket.
Post-exploit cleanupCleared auth.log, missing command history, zeroed network connection history, log-forwarding interruptions, modified configurations, unexpected SSH key removals.
Forensic artifacts to seizeAdmin core dumps; user home directories; full /var/log/ tree; running configuration; running peer table; full image hash of currently running firmware.

Illustrative Detection Rules

Logging prerequisites: Forward Controller/Manager /var/log/auth.log and the SD-WAN application logs to an external log store — per ED 26-03’s explicit requirement — before exploitation. Logs that live only on a compromised Controller will be cleared in the post-exploitation cleanup phase and forensics will be limited to whatever the attacker chose to leave behind.

Rule 1 — vmanage-admin public-key login from an IP not on the maintenance allowlist. The highest-fidelity post-exploitation signal published by Cisco: an SSH login as the privileged service account from an IP that doesn’t belong on the allowlist. Tuning this rule is environment-specific — populate allowed_admin_ips with your jumphost / NOC NAT egress addresses.

title: vmanage-admin SSH Login From Unauthorized Source id: a1c84e10-sdwan-vmanage-admin-ssh status: experimental description: > Detects an SSH public-key authentication as vmanage-admin on a Catalyst SD-WAN Controller or Manager from a source IP that is not on the organization's administrative allowlist. Published as a high-fidelity IOC for the UAT-8616 / CVE-2026-20127 campaign by Cisco and CISA. logsource: product: linux service: auth category: ssh detection: selection: program: sshd Message|contains: 'Accepted publickey for vmanage-admin' filter_allowlist: # Replace with your authorized jumphost / NOC egress IPs. SourceIp: - '10.10.0.0/16' - '192.0.2.0/24' condition: selection and not filter_allowlist fields: - SourceIp - SourcePort - KeyFingerprint - HostName falsepositives: - Legitimate emergency admin from an unallowlisted location — investigate, do not auto-suppress. level: high tags: - attack.t1078.004 # Valid Accounts: Cloud Accounts - attack.t1098 # Account Manipulation - attack.lateral_movement references: - https://www.cisa.gov/news-events/directives/ed-26-03

Rule 2 — New SD-WAN peer added outside a change window. Every legitimate peer onboarding goes through change control; UAT-8616’s rogue-peer step does not. Correlate fabric inventory deltas with the change-ticket system.

title: SD-WAN Fabric Peer Added Without Change Approval id: 2b9f4a25-sdwan-rogue-peer status: experimental description: > Detects the registration of a new peer device in the Catalyst SD-WAN fabric without a matching, approved change-control record. UAT-8616 weaponizes the post-auth-bypass primitive by adding a rogue peer that is trusted by the fabric and used to manipulate route policy. logsource: product: cisco service: sdwan_peering detection: peer_added: EventType: peer_registration Action: add filter_change_approved: # Pseudo-field: wire your CMDB / change-ticket system into this filter. ChangeTicketStatus: approved filter_business_hours: # Optional secondary filter — SD-WAN peers added at 03:00 local with no ticket # are higher-confidence anomalies than the same change during business hours. HourLocal: - 9 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 condition: peer_added and not filter_change_approved fields: - PeerDeviceId - PeerDeviceType - PeerSourceIp - InitiatorUser - SiteId level: high tags: - attack.t1556 # Modify Authentication Process - attack.persistence

Rule 3 — Firmware downgrade-then-restore within a short window. The canonical UAT-8616 root-acquisition signature is a Controller image downgrade immediately followed by an upgrade back to (or past) the original version. Either step on its own can be legitimate; the rapid sequence is the smoking gun.

title: Catalyst SD-WAN Controller Firmware Downgrade-and-Restore id: 8e02c731-sdwan-fw-downgrade-restore status: experimental description: > Detects a Catalyst SD-WAN Controller firmware downgrade followed by an upgrade back to (or past) the original version within 6 hours. This is the canonical UAT-8616 chain: downgrade to expose CVE-2022-20775, gain root, then restore to erase the forensic trail. logsource: product: cisco service: sdwan_image detection: downgrade: EventType: image_change NewVersion|lt: PreviousVersion restore_event: EventType: image_change NewVersion|gte: PreviousVersion # Sequence: downgrade followed by restore_event on the same DeviceId within 6h. timeframe: 6h condition: downgrade | near restore_event by DeviceId fields: - DeviceId - PreviousVersion - NewVersion - InitiatorUser - ChangeTicketId falsepositives: - Legitimate rollback for production bug; should always have a ticket. level: critical tags: - attack.t1562.001 # Impair Defenses: Disable or Modify Tools - attack.t1112 # Modify Registry / Modify System Image - attack.defense_evasion

Rule 4 — Log scrub / forensic-artifact tampering. Cleared auth.log, missing command history, zeroed network connection records, and log-forwarding interruptions are all post-compromise cleanup signals. None should occur on a healthy Controller.

title: SD-WAN Controller Log Tampering / Forensic Scrub id: c46cd1f3-sdwan-log-scrub status: experimental description: > Detects evidence of post-compromise log cleanup on a Catalyst SD-WAN Controller: cleared auth.log, missing command history, zeroed network connection history, or interruptions in log forwarding. CISA-published IOC for the UAT-8616 campaign. logsource: product: linux service: syslog detection: log_cleared: Message|contains: - 'rsyslogd: action 'builtin:omfile' suspended' - 'logrotate: ... truncate failed' - 'auth.log: truncated' history_wiped: CommandHistorySize: 0 forwarding_gap: # Gap of >5 minutes in expected log forwarding heartbeat from a Controller. HeartbeatGapSec|gt: 300 condition: log_cleared or history_wiped or forwarding_gap fields: - DeviceId - GapStart - GapEnd - LastSequence level: high tags: - attack.t1070.002 # Indicator Removal: Clear Linux or Mac System Logs - attack.t1070.003 # Clear Command History - attack.defense_evasion

Rule 5 — Suricata sketch for anomalous DTLS to UDP/12346 from non-fabric sources. The vdaemon service should only see DTLS peering from known SD-WAN peer IPs. Anything else is investigation-worthy, particularly inbound from the public internet if the management interface is (incorrectly) reachable.

# Suricata sketch — DTLS to vdaemon (UDP/12346) from outside the fabric # Tune $SDWAN_FABRIC_NETS to the IP set of legitimate SD-WAN peers/edges. alert udp !$SDWAN_FABRIC_NETS any -> $SDWAN_CONTROLLER_NETS 12346 ( \ msg:"SDWAN vdaemon DTLS peer attempt from non-fabric source (CVE-2026-20127/20182)"; \ flow:to_server; \ dsize:>0; \ threshold:type both, track by_src, count 5, seconds 60; \ classtype:attempted-admin; \ sid:5026127; rev:1; \ metadata:cve CVE-2026-20127, cve CVE-2026-20182; \ )

Rule 6 — KQL hunting query for forwarded controller syslog (Sentinel / Defender for Cloud). Catches the auth.log signal plus the forwarding-gap signal in one place when controllers ship logs into a Sentinel workspace.

// SD-WAN Controller compromise hunt — KQL for forwarded auth.log + syslog heartbeat let allowed_admin_ips = dynamic(["10.10.0.0/16", "192.0.2.0/24"]); // <-- tune let auth_anomalies = Syslog | where Facility == "auth" or SyslogMessage has "sshd" | where SyslogMessage has "Accepted publickey for vmanage-admin" | extend src_ip = extract(@"from (\d+\.\d+\.\d+\.\d+)", 1, SyslogMessage) | where isnotempty(src_ip) | where not(ipv4_is_in_any_range(src_ip, allowed_admin_ips)) | project TimeGenerated, HostName, src_ip, SyslogMessage; let heartbeat_gaps = Heartbeat | where ResourceProvider == "Cisco-SDWAN" // tune to your data connector | summarize last_seen = max(TimeGenerated) by Computer | where last_seen < ago(5m); auth_anomalies | join kind=fullouter (heartbeat_gaps) on $left.HostName == $right.Computer | order by TimeGenerated desc

Correlation guidance for the SOC analyst:

  • The decisive chain is Rule 2 (rogue peer) followed within minutes by Rule 3 (firmware downgrade). Either alone is investigation-worthy; the sequence is a confirmed-compromise pattern that warrants immediate isolation of the Controller.
  • Rule 1 + Rule 4 together indicate the cleanup phase has begun — an unauthorized admin login followed by log scrubbing on the same device. Treat as confirmed compromise and pivot to CISA’s forensic capture procedure.
  • External log retention is load-bearing. Rules 1, 2, 4, and 6 all depend on log data that lives on the Controller itself. If you have not forwarded logs to an external store before exploitation, Rule 3 (firmware version delta, captured at the fabric level) and Rule 5 (perimeter DTLS observation) become your only post-hoc detection options.
  • Beware the “clean” controller. The whole point of the downgrade-restore step is to leave the firmware looking unchanged. Do not rely on currently-running firmware version as proof of integrity — CISA explicitly requires fresh OVA/QCOW2 redeployment for systems with root-account-compromise indicators.

Mitigation & Remediation

  1. Patch Controller and Manager to fixed releases — both CVEs. Apply the Cisco software updates that remediate CVE-2026-20127 and CVE-2026-20182. CVE-2026-20182 is structurally distinct and not covered by the February 25 patch — verify both are installed. Patch Manager separately for CVE-2026-20128 and CVE-2026-20122.
  2. Get the management interface off the public internet. CISA and Cisco both explicitly state SD-WAN management interfaces should not be internet-reachable. Place behind a VPN / jumphost with IP allowlisting and MFA on the jumphost. This single change eliminates the unauthenticated-from-anywhere attack surface.
  3. Inventory and forensically capture before any in-place upgrade. ED 26-03’s required artifacts: admin core dumps, full /var/log/ tree, user home directories, running config snapshot, running peer table, image hash of currently running firmware. Capture before patching so the post-incident trail survives.
  4. Externalize log storage immediately. Forward Controller and Manager logs to a write-only external store. ED 26-03 set the federal deadline at 23:59 ET on 2026-02-26 — treat that as your minimum bar, then verify the forwarding hasn’t been silently broken by an in-place attacker.
  5. Audit auth.log for the Cisco-published signature. Search every Controller and Manager /var/log/auth.log for Accepted publickey for vmanage-admin from <ip> events where the source IP is not on your allowlist. Treat any match as compromise pending evidence to the contrary.
  6. Reconcile the SD-WAN peer table against change control. Every peer in the fabric should map to an approved change ticket. Investigate any peer that does not.
  7. Hunt for the downgrade-restore signature. Pull the firmware-version event log for every Controller and look for downgrade-then-restore-to-original sequences. Any such sequence without an approved change ticket is a root-compromise indicator and triggers full rebuild.
  8. For confirmed compromises, rebuild from clean OVA/QCOW2. CISA mandates: deploy fresh vManage / vSmart / vBond from patched images, migrate edges to the new infrastructure, issue new administrator credentials with unique passwords, and rotate the trust anchors. In-place patching does not erase a downgrade-restore-implanted root foothold.
  9. Enforce least-privilege on API credentials. CVE-2026-20128 and CVE-2026-20122 require valid Manager API credentials. Audit which accounts hold API access, rotate credentials post-patch, and remove read-only API access for any account that does not require it.

Strategic Context

The SD-WAN Controller is the second CVSS-10.0 vulnerability in a Cisco network control plane this year. The pattern is recognizable: the most consequential bugs of 2026 are not in edge devices or remote-access VPN concentrators — they are in the management overlays that admins implicitly trust to never be the attack surface. Whoever owns the Controller owns every branch downstream of it, without needing to compromise a single edge appliance.

UAT-8616’s tradecraft is the part defenders should internalize. The unauthenticated bypass is the door; the firmware-downgrade-then-restore is what makes the compromise survive every standard post-incident sweep. Hash-the-binary, check-the-version, compare-against-gold-image — none of those catch an attacker who put the original image back before forensics arrived. The compromise persists in non-volatile configuration — the rogue peer, the modified policy, the planted SSH key — not in the binary that’s easy to fingerprint.

Karma-X Perspective

The management plane is the new endpoint

For two decades, “endpoint protection” meant laptops, servers, and edge appliances. The Cisco SD-WAN campaign is a clean argument that the most valuable target on the network is now the management plane — the controller, the orchestrator, the centralized policy engine — because compromise there propagates with vendor-blessed trust to every device downstream. UAT-8616 doesn’t need to land malware on a single branch firewall when the Controller will broadcast hostile policy to all of them at once.

The defensive corollary is that behavioral monitoring of administrative actions on management-plane systems is now load-bearing. Patching closes the door for next time; what catches the attackers already inside is anomaly detection on the operations that only an attacker would perform — firmware downgrade-then-restore, rogue peer registration outside change windows, log scrub on a healthy controller. That detection surface is exactly what Karma-X is built to deliver: continuous, behavior-led visibility on the systems that traditionally have no agent and no SOC oversight.

Timeline

~2023
Earliest known UAT-8616 activity. Per Cisco Talos and CISA, malicious exploitation of CVE-2026-20127 dates back to at least 2023 — roughly three years before public disclosure.
2026-02 (early)
CISA Emergency Directive ED 26-03. Federal agencies ordered to inventory, forensically capture, externalize logs, and patch all Catalyst SD-WAN systems. NCSC publishes a joint advisory.
2026-02-25
Cisco advisory + patch for CVE-2026-20127. Maximum-severity peering authentication bypass disclosed; software updates released.
2026-02-26 23:59 ET
ED 26-03 external-log-storage deadline. Federal agencies must have inventoried Cisco SD-WAN systems and externalized log/artifact collection by this hard deadline.
2026-03
Manager-side flaws confirmed exploited. Cisco PSIRT updates the advisory to confirm in-the-wild exploitation of CVE-2026-20128 (arbitrary file overwrite) and CVE-2026-20122 (information disclosure) in Catalyst SD-WAN Manager.
2026-05
Rapid7 discloses CVE-2026-20182. A structurally distinct CVSS-10.0 sibling of CVE-2026-20127 in the same vdaemon stack — not a patch bypass, but a separate flaw requiring its own fix. Cisco confirms “limited exploitation” in the wild.

Sources & References

  1. Dark Reading. Maximum Severity Cisco SD-WAN Bug Exploited in the Wild. Link
  2. The Hacker News. Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access (CVE-2026-20182). Link
  3. BleepingComputer. Cisco flags more SD-WAN flaws as actively exploited in attacks. Link
  4. Cybernews. Maximum severity Cisco zero-day exploited in the wild. Link
  5. Lasowiacy. Critical Cisco SD-WAN Bug Exploited: Zero-Day Attacks Since 2023 — CVE-2026-20127 Explained. Link