Vulnerabilities Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited WatchTowr reports seeing exploitation attempts for CVE-2026-20127 from numerous unique IP addresses. By Eduard Kovacs | March 8, 2026 (7:15 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Exposure management company WatchTowr reports that a recent Cisco Catalyst SD-WAN vulnerability, initially exploited as a zero-day, is now being used more frequently by threat actors. The in-the-wild exploitation of four Cisco Catalyst SD-WAN vulnerabilities came to light in recent weeks. One of them is CVE-2026-20127, which had been exploited as a zero-day in combination with an older vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on systems. Cisco Talos linked the attacks to UAT-8616, a highly sophisticated threat actor of unspecified origin and motivation that has been active since at least 2023. WatchTowr’s head of proactive threat intelligence, Ryan Dewhurst, told SecurityWeek that the pace of exploitation for CVE-2026-20127 has — unsurprisingly — escalated quickly. “This is no longer targeted activity that was described previously, but now internet-wide and growing,” Dewhurst said. “In total, the watchTowr proactive threat intelligence team has seen exploitation attempts from numerous unique IP addresses and observed threat actors deploying webshells,” he explained. “The largest spike in activity occurred on March 4, with attacks widely spread across various regions worldwide, and U.S.-based areas saw slightly higher activity than others.” Advertisement. Scroll to continue reading. The expert warned, “We expect activity to continue as part of the typical long tail of exploitation, as more threat actors become involved,” adding, “With mass and opportunistic exploitation at play, any exposed system should be considered compromised until proven otherwise.” Cisco this week updated a February 25 advisory to inform customers about the exploitation of two additional Catalyst SD-WAN vulnerabilities , which can be exploited by authenticated attackers for privilege escalation: CVE-2026-20128 and CVE-2026-20122. The company has not shared any details on the attacks exploiting these vulnerabilities, but its description indicates they have been chained with other flaws. It’s unclear if the same threat actor is behind all of the campaigns targeting Catalyst SD-WAN vulnerabilities. Cisco recently warned that a zero-day in Secure Email Gateway appliances had been exploited by China-linked hackers , but again, it’s unclear if the attacks are in any way related. Related : China-Linked Hackers Exploiting Zero-Day in Cisco Security Gear Related : Cisco Patches Critical Vulnerabilities in Enterprise Networking Products Related: Cisco, F5 Patch High-Severity Vulnerabilities Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs James ‘Aaron’ Bishop Tapped to Serve as New Pentagon CISO Data Security Firm Evervault Raises $25 Million in Series B Funding Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises Russian Ransomware Operator Pleads Guilty in US Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild LeakBase Cybercrime Forum Shut Down, Suspects Arrested Tycoon 2FA Phishing Platform Dismantled in Global Takedown New LexisNexis Data Breach Confirmed After Hackers Leak Files Latest News US Cyber Strategy Targets Adversaries, Critical Infrastructure, and Emerging Technologies Over 100 GitHub Repositories Distributing BoryptGrab Stealer Pentagon’s Chief Tech Officer Says He Clashed With AI Company Anthropic Over Autonomous Warfare FBI Investigating ‘Suspicious’ Cyber Activity on System Holding Sensitive Surveillance Information ArmorCode Raises $16 Million for Exposure Management Platform In Other News: FBI Hacked, US Security Pro Killed in Iran War, Hijacked Cameras Used in Khamenei Strike CISA Adds iOS Flaws From Coruna Exploit Kit to KEV List Rockwell Vulnerability Allowing Remote ICS Hacking Exploited in Attacks Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move ArmorCode has named Phil Venables to its Board of Directors. James ‘Aaron’ Bishop has been appointed as new Pentagon CISO. Sonalee Parekh has joined SentinelOne as Chief Financial Officer. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email