Cisco SD-WAN Under Active Attack — ACSC Urges Australian Businesses to Patch

A critical authentication-bypass flaw in Cisco Catalyst SD-WAN Controller and Manager is being actively exploited in the wild, and the Australian Signals Directorate’s cyber arm (ACSC) is the agency that discovered it. Tracked as CVE-2026-20127 with a maximum CVSS score of 10.0, the vulnerability lets an unauthenticated attacker on the network obtain full administrative privileges. Two related Cisco SD-WAN CVEs — CVE-2026-20128 and CVE-2026-20122 — are also being exploited, as reported by Greenbone and confirmed in the ACSC advisory. A threat group tracked as UAT-8616 has reportedly been using the flaw since 2023.

If your business or one of your sites relies on Cisco Catalyst SD-WAN — on-prem, cloud-hosted or FedRAMP — you are in scope. The attack chain is nasty: the attacker bypasses authentication, injects a rogue peer into the SD-WAN management plane, then downgrades the software to a vulnerable version to escalate to root. That means full control of the device that routes your branch and head-office traffic. For Australian organisations with distributed sites (multi-venue hospitality groups, regional NFPs, financial planning networks) this is exactly the infrastructure attackers want to own.

What to do today: there are no workarounds. Upgrade immediately to a fixed version using Cisco’s upgrade matrix. Run a compromise assessment against the Five Eyes IoC hunt guide before you assume you are clean — remember, exploitation has been traced back three years. Review management-plane access, rotate admin credentials, and check for unexpected peer entries.

Not sure whether your network edge is running Cisco SD-WAN, or whether your MSP has already patched it? That’s the kind of thing our team handles as part of our cybersecurity services. If you’re unsure, ask.