Full Report
Zack Whittaker reports: Cisco says hackers have been exploiting a bug in one of its popular networking products used by large enterprises for at least three years, prompting the U.S. government and its allies to urge organizations to take action. The bug, which has a maximum-rated vulnerability severity score of 10.0, allows hackers to remotely break... Source
Analysis Summary
# Vulnerability: Cisco Catalyst SD-WAN Remote Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2023-20155 (As referenced by linked advisory cisco-sa-sdwan-rpa-EHchtZk)
- **CVSS Score:** 10.0 (Critical)
- **CWE:** Improper Access Control / Privilege Escalation
## Affected Systems
- **Products:** Cisco Catalyst SD-WAN (formerly Viptela SD-WAN)
- **Versions:** Specific versions of SD-WAN Manager (vManage), SD-WAN Controllers (vSmart), and SD-WAN Validators (vBond).
- **Configurations:** Systems accessible over the internet or untrusted networks; primarily large-scale enterprise networking architectures.
## Vulnerability Description
The vulnerability allows a remote, unauthenticated attacker to bypass authentication and gain administrative access to the affected system. Exploitation occurs through the management interface. Due to a flaw in how the system handles certain requests, an attacker can gain the highest level of permissions (root/admin), allowing for persistent access, configuration changes, and deep lateral movement within the compromised network.
## Exploitation
- **Status:** Exploited in the wild. Evidence of exploitation dates back to at least 2023.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Highest level of permissions allows for full data exfiltration and spying).
- **Integrity:** Total (Attackers can modify network configurations and maintain hidden persistence).
- **Availability:** Total (Attackers have the power to disable or disrupt network connectivity).
## Remediation
### Patches
Cisco has released software updates to address this vulnerability. Organizations should migrate to the following fixed releases or later:
- Cisco Catalyst SD-WAN 20.6.x (Fixed in 20.6.3.1 and later)
- Cisco Catalyst SD-WAN 20.9.x (Fixed in 20.9.3.2 and later)
- Cisco Catalyst SD-WAN 20.12.x (Fixed in 20.12.1 and later)
### Workarounds
- Restrict access to management interfaces using Access Control Lists (ACLs).
- Ensure management traffic is isolated to a dedicated Management VPN or Out-of-Band (OOB) network.
- Disable internet-facing management access wherever possible.
## Detection
- **Indicators of Compromise:** Unusual administrative logins from unknown IP addresses, unauthorized configuration changes, or the presence of suspicious files in the underlying OS.
- **Detection methods and tools:** Review Cisco Talos Intelligence reports (UAT-8616) for specific forensic signatures. Monitor system logs for authentication bypass attempts and audit all administrative account activities.
## References
- Cisco Security Advisory: [https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk]
- Cisco Talos Blog: [https://blog.talosintelligence.com/uat-8616-sd-wan/]
- TechCrunch Report: [https://techcrunch.com/2026/02/26/cisco-says-hackers-have-been-exploiting-a-critical-bug-to-break-into-big-customer-networks-since-2023/]