Cisco Talos reports that a highly sophisticated cyber threat actor, tracked as UAT-8616, is actively exploiting a critical vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controller (formerly known as vSmart). This vulnerability can allow a remote attacker to bypass authentication and gain administrative access on the affected system simply by sending a crafted request.

Key Points:

• What’s Happening?
UAT-8616 has been observed exploiting the SD-WAN controller vulnerability in the wild. Evidence suggests the malicious activity may go back as far as 2023, and the actor has also previously used another flaw (CVE-2022-20775) by abusing version downgrade techniques to escalate privileges.

• Who is UAT-8616?
Talos assesses this actor with high confidence as highly sophisticated. The group’s behavior and targets are consistent with attackers seeking persistent footholds in high-value network environments.

• Trend in Targeting Network Edge Devices
This campaign highlights a larger trend where adversaries focus on network edge devices (like SD-WAN infrastructure) to establish initial access and persistence within organisations, including critical infrastructure sectors.

• Indicators and Detection Tips:
Talos provides detailed guidance for defenders, such as monitoring for unusual control-connection peering events in SD-WAN logs and validating the source and timing of such connections against expected network behavior. They also list forensic signs of compromise like unauthorized SSH keys, log clearing, and unexpected software downgrades.

• Mitigation & Recommendations:
Customers using Cisco Catalyst SD-WAN are urged to:

• Apply security patches and follow official Cisco hardening guides.
• Use threat hunting and detection guidance from Cisco and partner advisories.
• Investigate and validate anomalous SD-WAN events promptly.
  Talos also mentions sharing Snort signature coverage to help defenders detect related activity.