This Cisco Zero Day Scored a Perfect 10—Hackers Exploited It for 3 Years Before Five Governments Sounded the Alarm

A CVSS 10.0—The Worst Score Possible

On February 25, 2026, the cybersecurity agencies of five allied nations—the US (CISA), the UK (NCSC), Australia (ASD's ACSC), Canada (CCCS), and New Zealand (NCSC-NZ)—issued a coordinated emergency alert about a critical vulnerability in Cisco's SD-WAN infrastructure. The vulnerability, CVE-2026-20127, carries a CVSS score of 10.0: the maximum possible severity rating.

CVSS 10.0 vulnerabilities are rare. They represent flaws where an unauthenticated remote attacker can completely compromise a system with no user interaction required. This one allows attackers to bypass authentication entirely and take administrative control of Cisco Catalyst SD-WAN Controllers and Managers—the systems that manage network routing for large enterprise and government deployments.

What makes this disclosure exceptional is not the score. It's the timeline: investigation by intelligence partners revealed that a sophisticated threat actor tracked as UAT-8616 has been exploiting this vulnerability since at least 2023—three full years before public disclosure.

How the Attack Chain Works

The flaw exploits improper authentication in Cisco's SD-WAN peering mechanism. An attacker can send a crafted request to the SD-WAN Controller or Manager, bypassing authentication entirely and gaining administrative privileges. From there, the attack chain becomes increasingly sophisticated:

• The attacker creates a "rogue peer" device that joins the network's management and control plane, appearing as a legitimate SD-WAN component
• Using the built-in update mechanism, the attacker downgrades the software version
• The downgraded software is then exploited via a separate high severity vulnerability (CVE-2022-20775) to escalate privileges to root
• The attacker then restores the original software version—hiding the downgrade from administrators
• Persistent access is maintained through SSH backdoors and mimicked local user accounts
• Logs and connection history are cleared to remove forensic evidence

The sophistication of this chain—particularly the downgrade, exploit, restore sequence—suggests a threat actor with deep knowledge of Cisco's update mechanisms and considerable operational experience. Cisco Talos described UAT-8616 as "a highly sophisticated cyber threat actor" and noted the attack reflects "a continuing trend of the targeting of network edge devices."

Three Years of Invisible Access

The most alarming aspect of CVE-2026-20127 is not the vulnerability itself but the timeline. Evidence collected during the investigation indicates exploitation dates back to at least 2023. That represents three years during which attackers with root access to enterprise SD-WAN infrastructure could have:

• Intercepted and redirected network traffic across entire enterprise networks
• Exfiltrated credentials, documents, and communications traversing the network
• Monitored which systems communicated with which, building detailed network maps
• Positioned for further intrusions deeper into the affected organizations
• Maintained persistent access through multiple security audits and patch cycles

SD-WAN systems are particularly valuable targets precisely because they sit at the intersection of an organization's entire network. Control the SD-WAN, and you control what traffic goes where—and you can see all of it. For critical infrastructure operators, telecom companies, and government agencies running Cisco SD-WAN, three years of potential exposure is a significant incident response challenge.

The Emergency Response

CISA issued Emergency Directive 26-03, which required all US federal civilian executive branch agencies to:

• Inventory all Cisco SD-WAN systems within 24 hours
• Apply available patches by 17:00 ET on February 27, 2026
• Collect forensic artifacts and assess for signs of compromise

Cisco released patched versions across multiple release branches (20.9.8.2, 20.12.6.1, 20.15.4.2, and 20.18.2.1). The vulnerability affects Cisco Catalyst SD-WAN Controller and SD-WAN Manager across all deployment types—on premises, cloud hosted, managed services, and FedRAMP environments.

The coordinated Five Eyes disclosure—involving intelligence partners from the US, UK, Australia, Canada, and New Zealand simultaneously—signals that the impact of this vulnerability extends across allied infrastructure and that the threat actor involved has been active across multiple countries.

The Broader Pattern: Network Edge Devices Under Siege

CVE-2026-20127 is not an isolated incident. Over the past several years, sophisticated threat actors have systematically targeted network edge devices—routers, firewalls, VPN concentrators, SD-WAN controllers—as their primary entry points into enterprise and government networks.

The strategic logic is clear. Edge devices are often excluded from endpoint detection and response (EDR) tools. They run specialized operating systems that many security teams lack expertise to audit. They handle all incoming and outgoing traffic, making them surveillance gold. And they are frequently under patched, because taking them offline disrupts connectivity.

Salt Typhoon's persistent access to US telecom infrastructure, Volt Typhoon's presence inside US power grid networks, and now UAT-8616's three year occupation of enterprise SD-WAN systems all follow the same playbook: find a vulnerability in the infrastructure layer, establish persistent access before it's discovered, and maintain that access across years of operational use.

For security teams responsible for network infrastructure, the CVE-2026-20127 disclosure is a reminder that the question is not whether edge devices are being targeted—it's whether your specific devices have already been compromised. CISA's guidance recommends treating affected systems as potentially compromised since 2023 and conducting full forensic analysis before assuming a clean state.

What to Do Now

If your organization runs Cisco Catalyst SD-WAN systems, the recommended steps are:

• Apply the available patches immediately (versions 20.9.8.2, 20.12.6.1, 20.15.4.2, or 20.18.2.1 depending on your branch)
• Review authentication logs for unexpected administrative sessions going back to January 2023
• Check for unknown user accounts or modified SSH authorized keys on SD-WAN systems
• Review software version history for unexpected downgrades and rapid restores
• Treat the system as potentially compromised and conduct forensic investigation before returning to normal operations

CISA's full guidance and indicators of compromise are available through their Emergency Directive 26-03. Given the three year exploitation window, patching alone is not sufficient—forensic investigation of existing systems is essential.