{"id":3050,"date":"2026-03-08T18:20:00","date_gmt":"2026-03-08T10:20:00","guid":{"rendered":"https:\/\/moonsshieldhk.com\/?p=3050"},"modified":"2026-03-10T15:21:06","modified_gmt":"2026-03-10T07:21:06","slug":"recent-cisco-catalyst-sd-wan-vulnerability-now-widely-exploited","status":"publish","type":"post","link":"https:\/\/moonsshieldhk.com\/index.php\/en\/2026\/03\/08\/recent-cisco-catalyst-sd-wan-vulnerability-now-widely-exploited\/","title":{"rendered":"Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited"},"content":{"rendered":"\n<p>The in-the-wild exploitation of four Cisco Catalyst SD-WAN vulnerabilities came to light in recent weeks. One of them is CVE-2026-20127, which had been&nbsp;<a href=\"https:\/\/www.securityweek.com\/cisco-patches-catalyst-sd-wan-zero-day-exploited-by-highly-sophisticated-hackers\/\">exploited as a zero-day<\/a>&nbsp;in combination with an older vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on systems.<\/p>\n\n\n\n<p>Cisco Talos linked the attacks to UAT-8616, a highly sophisticated threat actor of unspecified origin and motivation that has been active since at least 2023.&nbsp;<\/p>\n\n\n\n<p>WatchTowr\u2019s head of proactive threat intelligence, Ryan Dewhurst, told&nbsp;<em>SecurityWeek<\/em>&nbsp;that the pace of exploitation for CVE-2026-20127 has \u2014 unsurprisingly \u2014 escalated quickly.<\/p>\n\n\n\n<p>\u201cThis is no longer targeted activity that was described previously, but now internet-wide and growing,\u201d Dewhurst said.<\/p>\n\n\n\n<p>\u201cIn total, the watchTowr proactive threat intelligence team has seen exploitation attempts from numerous unique IP addresses and observed threat actors deploying webshells,\u201d he explained. \u201cThe largest spike in activity occurred on March 4, with attacks widely spread across various regions worldwide, and U.S.-based areas saw slightly higher activity than others.\u201d&nbsp;<\/p>\n\n\n\n<p>The expert warned, \u201cWe expect activity to continue as part of the typical long tail of exploitation, as more threat actors become involved,\u201d adding, \u201cWith mass and opportunistic exploitation at play, any exposed system should be considered compromised until proven otherwise.\u201d<\/p>\n\n\n\n<p>Cisco this week updated a February 25 advisory to inform customers about the exploitation of&nbsp;<a href=\"https:\/\/www.securityweek.com\/cisco-warns-of-more-catalyst-sd-wan-flaws-exploited-in-the-wild\/\">two additional Catalyst SD-WAN vulnerabilities<\/a>, which can be exploited by authenticated attackers for privilege escalation: CVE-2026-20128 and CVE-2026-20122.<\/p>\n\n\n\n<p>The company has not shared any details on the attacks exploiting these vulnerabilities, but its description indicates they have been chained with other flaws.<\/p>\n\n\n\n<p>It\u2019s unclear if the same threat actor is behind all of the campaigns targeting Catalyst SD-WAN vulnerabilities. Cisco recently warned that a zero-day in Secure Email Gateway appliances had been&nbsp;<a href=\"https:\/\/www.securityweek.com\/china-linked-hackers-exploiting-zero-day-in-cisco-security-gear\/\">exploited by China-linked hackers<\/a>, but again, it\u2019s unclear if the attacks are in any way related.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The in-the-wild exploitation of four Cisco Catalyst SD- [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":3051,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-3050","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category--en"],"_links":{"self":[{"href":"https:\/\/moonsshieldhk.com\/index.php\/wp-json\/wp\/v2\/posts\/3050","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/moonsshieldhk.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/moonsshieldhk.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/moonsshieldhk.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/moonsshieldhk.com\/index.php\/wp-json\/wp\/v2\/comments?post=3050"}],"version-history":[{"count":0,"href":"https:\/\/moonsshieldhk.com\/index.php\/wp-json\/wp\/v2\/posts\/3050\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/moonsshieldhk.com\/index.php\/wp-json\/wp\/v2\/media\/3051"}],"wp:attachment":[{"href":"https:\/\/moonsshieldhk.com\/index.php\/wp-json\/wp\/v2\/media?parent=3050"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/moonsshieldhk.com\/index.php\/wp-json\/wp\/v2\/categories?post=3050"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/moonsshieldhk.com\/index.php\/wp-json\/wp\/v2\/tags?post=3050"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}