A maximum-severity zero-day vulnerability in two of Cisco’s core networking products has been actively exploited since at least 2023, the company confirmed this week, with a threat actor already tracked and linked to post-compromise activity across affected systems.
The flaw, identified as CVE-2026-20127 and carrying a CVSS score of 10.0, affects the Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). An unauthenticated remote attacker can bypass authentication entirely and gain administrative privileges by sending a crafted request. No credentials required.
The Cisco SD-WAN Breach
Cisco attributed the discovery to the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC). The company is tracking the exploitation cluster under the designation UAT-8616, describing it as a “highly sophisticated cyber threat actor.” The exploitation dates back to 2023, meaning affected systems may have had years of exposure.
Three additional Cisco Catalyst SD-WAN vulnerabilities were also disclosed this week: CVE-2026-20122, CVE-2026-20126, and CVE-2026-20128, adding further urgency for organizations running these systems to prioritize patching.
A Wide Field of Critical Vulnerabilities
Beyond Cisco, this week produced a significant volume of high-priority disclosures across a broad range of enterprise and consumer platforms. The list spans network infrastructure, cloud management, browsers, and endpoint security tools.
Key vulnerabilities organizations should review immediately include:
More Read
- SolarWinds Serv-U: CVE-2025-40538, CVE-2025-40539, CVE-2025-40540, CVE-2025-40541
- Broadcom VMware Aria Operations: CVE-2026-22719, CVE-2026-22720, CVE-2026-22721
- Google Chrome: CVE-2026-3061, CVE-2026-3062, CVE-2026-3063
- Juniper Networks Junos OS: CVE-2026-21902
- ServiceNow AI Platform: CVE-2026-0542
- Zyxel: CVE-2025-13942, CVE-2025-13943, CVE-2026-1459
- Trend Micro Apex One: CVE-2025-71210, CVE-2025-71211
- Samsung Tizen OS: SVE-2025-50109
- FreeBSD: CVE-2025-15576
- HPE Telco Service Activator: CVE-2025-12543
The range alone tells a story. No single product category is insulated. Browser engines, telco infrastructure, smart home devices like the Gardyn Home Kit (CVE-2025-29631, CVE-2025-1242), and even PDF generation libraries like jsPDF (CVE-2026-25755) all appear on this week’s list.
The Broader Pattern
What stands out this week is not any single incident but the distribution of attack surfaces. Threat actors are not waiting for a single large target. They are probing access control gaps, exposed credentials, and trusted service features across interconnected systems simultaneously.
Scan speeds are increasing. Abuse of legitimate platform features is becoming a preferred method for maintaining persistence. Organizations that treat security advisories as isolated events miss the cumulative picture these disclosures form together.
Infrastructure and AI platforms are now deeply linked in enterprise environments, and a compromise in one layer can propagate quickly into others. The Cisco SD-WAN case is a direct example: administrative access gained through an authentication bypass opens pathways far beyond the initial entry point.
Patch cycles and vulnerability reviews remain the most effective near-term response available to network and security teams.
Photo by marcos mayer on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
