Exposure management company WatchTowr reports that a recent Cisco Catalyst SD-WAN vulnerability, initially exploited as a zero-day, is now being used more frequently by threat actors.
The in-the-wild exploitation of four Cisco Catalyst SD-WAN vulnerabilities came to light in recent weeks. One of them is CVE-2026-20127, which had been exploited as a zero-day in combination with an older vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on systems.
Cisco Talos linked the attacks to UAT-8616, a highly sophisticated threat actor of unspecified origin and motivation that has been active since at least 2023.
WatchTowr’s head of proactive threat intelligence, Ryan Dewhurst, told SecurityWeek that the pace of exploitation for CVE-2026-20127 has — unsurprisingly — escalated quickly.
“This is no longer targeted activity that was described previously, but now internet-wide and growing,” Dewhurst said.
“In total, the watchTowr proactive threat intelligence team has seen exploitation attempts from numerous unique IP addresses and observed threat actors deploying webshells,” he explained. “The largest spike in activity occurred on March 4, with attacks widely spread across various regions worldwide, and U.S.-based areas saw slightly higher activity than others.”
The expert warned, “We expect activity to continue as part of the typical long tail of exploitation, as more threat actors become involved,” adding, “With mass and opportunistic exploitation at play, any exposed system should be considered compromised until proven otherwise.”
Cisco this week updated a February 25 advisory to inform customers about the exploitation of two additional Catalyst SD-WAN vulnerabilities, which can be exploited by authenticated attackers for privilege escalation: CVE-2026-20128 and CVE-2026-20122.
The company has not shared any details on the attacks exploiting these vulnerabilities, but its description indicates they have been chained with other flaws.
It’s unclear if the same threat actor is behind all of the campaigns targeting Catalyst SD-WAN vulnerabilities. Cisco recently warned that a zero-day in Secure Email Gateway appliances had been exploited by China-linked hackers, but again, it’s unclear if the attacks are in any way related.
Related: China-Linked Hackers Exploiting Zero-Day in Cisco Security Gear
Related: Cisco Patches Critical Vulnerabilities in Enterprise Networking Products
