Cisco SD-WAN Zero-Day Under Exploitation for 3 Years
Summary
A zero-day vulnerability, CVE-2026-20127, in Cisco SD-WAN has been under exploitation for three years by a sophisticated, unknown threat actor. The vulnerability is considered to be of maximum severity and the attacker left very little trace of their activities.
IFF Assessment
The long-term exploitation of a critical vulnerability without detection is bad news for defenders.
Severity
Defender Context
Defenders need to patch this vulnerability immediately, investigate their Cisco SD-WAN deployments for signs of compromise, and improve their detection capabilities to identify similar long-term intrusions. The lack of evidence left behind by the attacker highlights the increasing sophistication of threat actors and the need for advanced threat hunting and incident response capabilities.