Five Eyes warn: Patch your Cisco SD-WAN or risk root takeover
The Register
February 26, 2026
AI-Generated Deep Dive Summary
The Five Eyes intelligence alliance has issued a rare joint warning about two critical vulnerabilities in Cisco Catalyst SD-WAN products, urging organizations to patch immediately to avoid potential root takeovers by cyber attackers. The alert highlights CVE-2022-20775, a path traversal flaw allowing privilege escalation, and CVE-2026-20127, an improper authentication bug that grants admin rights and control over network configurations. These vulnerabilities are being actively exploited by a highly sophisticated cyber threat group, UAT-8616, targeting high-value sectors like critical infrastructure.
The vulnerabilities were first identified by the Australian Signals Directorate and confirmed by all five Eyes agencies, including the UK's NCSC. The exploitation process involves using CVE-2026-20127 to gain admin rights and then leveraging CVE-2022-20775 to downgrade software versions, enabling root access. Cisco Talos has linked these attacks to UAT-8616, noting that the group has been active since at least 2023 and likely targeting sensitive industries.
Verticals
tech
Originally published on The Register on 2/26/2026