The world of cybersecurity is on high alert! The Five Eyes intelligence alliance has issued a critical warning to all defenders: patch your Cisco SD-WAN devices immediately or face the risk of a full-blown root takeover. But who are these attackers, and what's their game plan?
The Threat Unveiled:
The Australian Signals Directorate (ASD) first uncovered a dangerous duo of vulnerabilities in Cisco Catalyst SD-WAN. These weaknesses are now being exploited by hackers, prompting all five intelligence agencies of the Five Eyes to issue a joint alert.
The Attack's Modus Operandi:
Malicious cybercriminals are targeting organizations worldwide that use Cisco Catalyst SD-WAN. Their strategy? Compromise the SD-WANs, add a rogue peer, and then execute a series of actions to gain root access and maintain a persistent presence within the network.
Vulnerability Breakdown:
1. CVE-2022-20775 (7.8): This path traversal vulnerability, disclosed in September 2022, affects the SD-WAN's command-line interface, enabling privilege escalation. Imagine a backdoor that allows hackers to elevate their access rights.
- CVE-2026-20127 (10.0): This brand-new max-severity bug is an improper authentication flaw. It impacts the Cisco Catalyst SD-WAN Controller and Manager (formerly SD-WAN vSmart and vManage). With a perfect 10 CVSS score, this vulnerability is a hacker's dream come true, granting admin rights and access to NETCONF for reconfiguring the SD-WAN fabric.
The Masterminds Behind the Attacks:
Cisco Talos, in a separate report, attributed the attacks leveraging CVE-2026-20127 to a highly sophisticated group they track as UAT-8616. This group has been active since at least 2023, and their targets are likely in high-value, sensitive sectors, including critical infrastructure.
The Intelligence Blackout:
While the intelligence agencies and Cisco are tight-lipped about the precise details of the exploited vulnerabilities, Talos's report hints at a clever two-step attack. CVE-2026-20127 was likely used to gain admin rights, followed by CVE-2022-20775 to downgrade the SD-WAN software, allowing attackers to seize root access.
The Call to Action:
Defenders are urged to take immediate action. Follow the Five Eyes Hunt Guide to identify signs of compromise, and if found, share the data with security authorities. The final step is to upgrade to the latest version of Cisco Catalyst SD-WAN Controller/Manager to fortify your defenses.
Controversy Alert: Some might argue that the intelligence agencies should disclose more details about the vulnerabilities to help organizations better prepare. But is this a wise move, considering the potential for misuse? The debate is open!
What do you think? Are the intelligence agencies doing enough to protect organizations, or should they reveal more technical details? Share your thoughts in the comments below, and let's spark a discussion on this critical cybersecurity issue.
