{
	"id": "4f1fae68-8074-49b0-8a66-0da5b657114c",
	"created_at": "2026-04-06T00:13:57.748504Z",
	"updated_at": "2026-04-10T03:27:03.197304Z",
	"deleted_at": null,
	"sha1_hash": "6bcff0f3846b4ea11f2f3093c1ada09fbf7cc56a",
	"title": "Active exploitation of Cisco Catalyst SD-WAN by UAT-8616",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52153,
	"plain_text": "Active exploitation of Cisco Catalyst SD-WAN by UAT-8616\r\nBy Cisco Talos\r\nPublished: 2026-02-25 · Archived: 2026-04-05 14:16:53 UTC\r\nWednesday, February 25, 2026 11:13\r\nCisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN\r\nController, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain\r\nadministrative privileges on the affected system by sending a crafted request to an affected system. Successful\r\nexploitation may allow the attacker to gain administrative privileges on the Controller as an internal, high\r\nprivileged, non-root, user account.\r\nTalos clusters this exploitation and subsequent post-compromise activity as “UAT-8616” whom we assess with\r\nhigh confidence is a highly sophisticated cyber threat actor. After the discovery of active exploitation of the 0-day\r\nin the wild, we were able to find evidence that the malicious activity went back at least three years (2023).\r\nInvestigation conducted by intelligence partners identified that the actor likely escalated to root user via a software\r\nversion downgrade. The actor then reportedly exploited CVE-2022-20775 before restoring back to the original\r\nsoftware version, effectively allowing them to gain root access.\r\nUAT-8616's attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber\r\nthreat actors looking to establish persistent footholds into high value organizations including Critical\r\nInfrastructure (CI) sectors.\r\nCustomers are strongly advised to follow the guidance published in the security advisories discussed below.\r\nAdditional recommendations specific to Cisco are available here. Customers support is also available by initiating\r\na TAC request.  Talos strongly recommends that customers and partners using Cisco Catalyst SD-WAN\r\ntechnology follow the steps outlined in this advisory to help protect their environments.\r\nInitial Peering Event Analysis\r\nThe initial and most critical activity to look for is any control connection peering event identified in Cisco\r\nCatalyst SD-WAN logs, as this may indicate an attempt at initial access via CVE-2026-20127. All such peering\r\nevents require manual validation to confirm their legitimacy, with particular focus on vManage peering types.\r\nThreat actors who compromise Cisco Catalyst SD-WAN infrastructure often establish unauthorized peer\r\nconnections that may appear superficially normal but occur at unexpected times, originate from unrecognized IP\r\naddresses, or involve device types inconsistent with the environment's architecture. A comprehensive review\r\nprocess is essential to distinguish between legitimate network operations and potential indicators of compromise.\r\nValidation Checklist Items Include\r\nhttps://blog.talosintelligence.com/uat-8616-sd-wan/\r\nPage 1 of 3\n\nVerify the timestamp of each peering event against known maintenance windows, scheduled configuration\r\nchanges, and normal operational hours for your environment.\r\nConfirm the public IP address corresponds to infrastructure owned or operated by your organization or\r\nauthorized partners by cross-referencing against asset inventories and authorized IP ranges.\r\nValidate the peer system IP matches documented device assignments within your Cisco Catalyst SD-WAN\r\ntopology.\r\nReview the peer type (vmanage, vsmart, vedge, vbond) to ensure it aligns with expected device roles in\r\nyour deployment.\r\nCorrelate multiple events from the same source IP or system IP to identify patterns of reconnaissance or\r\npersistent access attempts.\r\nCross-reference event timing with authentication logs, change management records, and user activity\r\nto establish whether the connection was initiated by authorized personnel.\r\nSample Log Entry\r\nFeb 20 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanage peer-system-ip:1.1.1.10\r\npublic-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005 \r\nLog Analysis\r\nIn the identified example, the peer-system-ip should be validated as matching the expected IP address schema in-use, the timestamp should be validated as matching any events which might cause a peering event to occur and the\r\npublic-ip should be validated as being an expected source for a peering event.\r\nAdditional Investigative Guidance\r\nThe following may be high-fidelity indicators of a successful compromise by UAT-8616 in an SD-WAN\r\ninfrastructure setup:\r\nCreation, usage and deletion of malicious user accounts including otherwise absent bash_history and cli-history.\r\nInteractive root sessions on production systems including unaccounted SSH keys, known hosts and bash\r\nhistory. For example:\r\nNotification: system-login-change severity-level:minor host-name:\"\u003cnode_name\u003e\" system-ip:\u003cIP\u003e\r\nuser-name:\"\"root\"\"\r\nSSH Keys in: /home/root/.ssh/authorized_keys with “PermitRootLogin” set to “yes” in\r\n/etc/ssh/sshd_config\r\nKnown hosts in: /home/root/.ssh/known_hosts\r\nUnauthorized or unaccounted SSH keys (“authorized_keys”) for the “vmanage-admin” account:\r\n/home/vmanage-admin/.ssh/authorized_keys/\r\nAbnormally small logs including absent or size 0/1/2 byte logs.\r\nEvidence of log and history clearing or truncation including:\r\nsyslog\r\nhttps://blog.talosintelligence.com/uat-8616-sd-wan/\r\nPage 2 of 3\n\nwtmp\r\nlastlog\r\ncli-history\r\nbash_history\r\nLogs residing in /var/log/\r\nPresence of cli-history file for a user without the bash history.\r\nIndications of unexplained peers being dropped or added to the environment.\r\nUnexpected and unauthorized version downgrades and upgrades accompanied by a system reboot. For\r\nexample (log entries):\r\nWaiting for upgrade confirmation from user. Device will revert to previous software version\r\n\u003cversion\u003e in '100' seconds unless confirmed.\r\nSoftware upgrade not confirmed. Reverting to previous software version\r\nEvidence of exploitation of CVE-2022-20775 such as specially crafted username path traversal string (E.g.\r\n“/../../” or “/\\n\u0026../\\n\u0026../”).\r\nRecommendations\r\nWe strongly recommend that you perform the steps outlined in this document. Cisco has also published a\r\nhardening guide for Cisco Catalyst SD-WAN deployments located at\r\nhttps://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide. It is strongly\r\nrecommended that any customers who are utilizing the Cisco Catalyst SD-WAN technology follow the guidance\r\nprovided in this hardening guide. We also recommend referring to advisories here and here and the Cisco Catalyst\r\nSD-WAN threat hunting guide released by our intelligence partners for additional detection guidance.\r\nTalos Coverage\r\nTalos is releasing the following Snort coverage for this threat and associated vulnerability:\r\n65938, 65958\r\nSource: https://blog.talosintelligence.com/uat-8616-sd-wan/\r\nhttps://blog.talosintelligence.com/uat-8616-sd-wan/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://blog.talosintelligence.com/uat-8616-sd-wan/"
	],
	"report_names": [
		"uat-8616-sd-wan"
	],
	"threat_actors": [
		{
			"id": "b476e11d-d711-4097-8a21-e8e2e38a5f77",
			"created_at": "2026-03-08T02:00:03.475768Z",
			"updated_at": "2026-04-10T02:00:03.983963Z",
			"deleted_at": null,
			"main_name": "UAT-8616",
			"aliases": [],
			"source_name": "MISPGALAXY:UAT-8616",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434437,
	"ts_updated_at": 1775791623,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6bcff0f3846b4ea11f2f3093c1ada09fbf7cc56a.pdf",
		"text": "https://archive.orkl.eu/6bcff0f3846b4ea11f2f3093c1ada09fbf7cc56a.txt",
		"img": "https://archive.orkl.eu/6bcff0f3846b4ea11f2f3093c1ada09fbf7cc56a.jpg"
	}
}