analyst @ nohacky :~/threat-actors $
cat / threat-actors / uat-8616
analyst@nohacky:~/uat-8616.html
active threat profile
typeNation-State
threat_levelCritical
statusActive
originChina — attributed
last_updated2026-03-13
U8
uat-8616

UAT-8616

also known as: UAT-8616 (Cisco Talos designation)

A highly sophisticated threat actor that silently exploited a maximum-severity Cisco SD-WAN zero-day vulnerability (CVE-2026-20127, CVSS 10.0) for at least three years before discovery, targeting critical infrastructure organizations globally. The exploit allows unauthenticated remote attackers to bypass authentication and gain administrative control over an organization's entire SD-WAN fabric. The campaign was discovered by the Australian Signals Directorate and triggered a coordinated Five Eyes emergency response, a CISA Emergency Directive (ED 26-03), and mandatory 24-hour federal patching requirements — making it one of the highest-priority network infrastructure threats disclosed in 2026.

attributed originChina (attributed)
suspected sponsorState-sponsored (unspecified)
first observed~2023 (confirmed exploitation)
primary motivationEspionage / infrastructure access
primary targetsNetwork infrastructure, Critical infrastructure, Government
zero-day exploitedCVE-2026-20127 (CVSS 10.0)
mitre att&ck groupUnassigned
target regionsGlobal — Five Eyes + CI sectors
threat levelCRITICAL

Overview

UAT-8616 is a threat cluster tracked by Cisco Talos, described with high confidence as a "highly sophisticated cyber threat actor." The group came to public attention on February 25, 2026, when Cisco disclosed that attackers had been actively exploiting a previously unknown authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage). The vulnerability — CVE-2026-20127 — carries the maximum possible CVSS score of 10.0.

What makes UAT-8616 exceptionally dangerous is not just the vulnerability itself, but the operational discipline demonstrated by the campaign. Evidence gathered by Australian Signals Directorate (ASD) and Cisco Talos confirms that exploitation began no later than 2023 — meaning the actor maintained silent, persistent access to victim SD-WAN infrastructure for at least three years before discovery. As Rapid7's director of vulnerability intelligence noted, the multi-year gap between initial exploitation and detection suggests "highly controlled operations" aligned "more closely with state-sponsored espionage tradecraft than financially motivated crime."

The attack chain is surgical. First, CVE-2026-20127 is exploited to bypass authentication and gain administrative privileges. The attacker then creates a rogue peer device joined to the network management plane (control plane) of the victim's SD-WAN. From this position, the attacker can manipulate controller-to-device communications, alter network configurations across the entire SD-WAN fabric, and establish persistent access. To escalate to full root access, the attacker downgrades the software version to one vulnerable to CVE-2022-20775 (a known privilege escalation flaw), exploits it for root, then restores the original software version — effectively covering their tracks. This deliberate version manipulation demonstrates deep knowledge of Cisco product versioning and patch history.

The disclosure triggered an unprecedented coordinated response: all Five Eyes intelligence agencies (Australia, Canada, New Zealand, the UK, and the US) issued a joint advisory, CISA published Emergency Directive 26-03 with mandatory 24-hour patching requirements for federal agencies, and both CVE-2026-20127 and CVE-2022-20775 were added to the Known Exploited Vulnerabilities catalog. Cisco confirmed there are no workarounds — only a full upgrade addresses the flaw.

critical

Any Cisco Catalyst SD-WAN Controller or SD-WAN Manager system that has been exposed to the internet with open ports is at risk of compromise. Cisco has confirmed there are no workarounds — the only remediation is a full software upgrade. Organizations should assume compromise if systems were internet-exposed and conduct forensic analysis of SD-WAN logs dating back to 2023.

Target Profile

UAT-8616's targeting reflects a strategic interest in network infrastructure that provides broad access to high-value organizations.

  • Network infrastructure: The primary target. Cisco Catalyst SD-WAN controllers and managers are deployed across enterprise and government networks worldwide. Compromising the SD-WAN control plane gives an attacker the ability to manipulate routing, intercept traffic, and access every site connected to the fabric.
  • Critical infrastructure sectors: CISA and Cisco Talos confirmed that the targeting includes critical infrastructure organizations. The specific sectors have not been publicly enumerated, but the Five Eyes emergency response indicates targeting across multiple allied nations.
  • Government and federal networks: CISA's emergency directive specifically addresses federal civilian executive branch agencies, and CISA's executive assistant director confirmed that "threat actors are actively attempting to access and potentially compromise federal networks."
  • Global scope: The Five Eyes joint advisory and the involvement of all five allied intelligence agencies (ASD-ACSC, CCCS, NCSC-NZ, NCSC-UK, CISA/NSA/FBI) confirm the campaign has a multi-country footprint across critical infrastructure globally.

Tactics, Techniques & Procedures

mitre idtechniquedescription
T1190Exploit Public-Facing ApplicationPrimary initial access via CVE-2026-20127 (CVSS 10.0), an authentication bypass in Cisco Catalyst SD-WAN Controller peering mechanism. Sends crafted requests to gain administrative privileges without authentication.
T1078.001Valid Accounts: Default AccountsExploitation grants access as an internal, high-privileged, non-root user account (vmanage-admin). This built-in account provides access to NETCONF for SD-WAN fabric manipulation.
T1601.001Modify System Image: Patch System ImageSignature technique. Downgrades SD-WAN software version to a release vulnerable to CVE-2022-20775, exploits it for root privilege escalation, then restores the original version to cover tracks. Demonstrates deep knowledge of product versioning.
T1068Exploitation for Privilege EscalationCVE-2022-20775 exploited after deliberate version downgrade to escalate from administrative to root access on the underlying operating system.
T1556Modify Authentication ProcessCreates rogue peer devices joined to the SD-WAN control plane, establishing unauthorized persistent access to the network management infrastructure.
T1565.002Data Manipulation: Transmitted DataNETCONF access enables manipulation of network configuration across the entire SD-WAN fabric, including routing changes, device configurations, and controller-to-device communications.
T1070Indicator RemovalClears or truncates logs, removes bash_history and cli-history, deletes malicious user accounts after use, and leaves abnormally small (0-2 byte) log files. Unauthorized SSH keys deployed and removed.
T1098.004Account Manipulation: SSH Authorized KeysDeploys unauthorized SSH keys to /home/root/.ssh/authorized_keys and /home/vmanage-admin/.ssh/authorized_keys, with PermitRootLogin set to "yes" for persistent root access.

Known Campaigns

Cisco SD-WAN Global Exploitation Campaign2023 – 2026

Multi-year exploitation of CVE-2026-20127 (CVSS 10.0) against Cisco Catalyst SD-WAN infrastructure globally. Actor created rogue peers on victim control planes, escalated to root via deliberate software version downgrade exploiting CVE-2022-20775, and maintained silent persistent access for at least three years. Discovered by Australian Signals Directorate in late 2025. Triggered Five Eyes joint advisory, CISA Emergency Directive 26-03, and mandatory 24-hour federal patching on February 25, 2026.

Read NoHacky briefing

Tools & Malware

UAT-8616's operational approach relies on exploiting the target infrastructure itself rather than deploying external malware — a hallmark of sophisticated network-layer operations.

  • CVE-2026-20127 exploit: Zero-day authentication bypass targeting the peering mechanism in Cisco Catalyst SD-WAN Controller. Sends crafted requests to gain administrative privileges as the high-privileged vmanage-admin account without any authentication.
  • Software version downgrade chain: After initial access, the actor deliberately downgrades the SD-WAN software to a version vulnerable to CVE-2022-20775, exploits that for root escalation, then restores the original version. This is a custom exploitation technique requiring detailed knowledge of Cisco versioning and patch history.
  • NETCONF manipulation: Uses the legitimate NETCONF protocol (accessible via the compromised vmanage-admin account) to manipulate SD-WAN fabric configuration, alter routing, and modify device settings across all connected sites.
  • Rogue SD-WAN peer devices: Creates unauthorized peer devices joined to the victim's control plane, enabling persistent monitoring and manipulation of the entire SD-WAN network without deploying traditional malware.
  • SSH key persistence: Deploys unauthorized SSH authorized_keys to root and vmanage-admin accounts, enables PermitRootLogin, and maintains access through legitimate remote administration channels.
  • Anti-forensics: Systematic clearing of logs, bash_history, cli-history, and user account artifacts. Leaves characteristically small log files (0-2 bytes) as a forensic indicator.

Mitigation & Defense

CISA Emergency Directive 26-03 mandates the following actions for federal agencies. All organizations running Cisco SD-WAN should follow the same guidance.

  • Patch immediately: Upgrade all Cisco Catalyst SD-WAN Controller and Manager systems to a fixed release. There are no workarounds for CVE-2026-20127. CISA's directive requires patching within 24 hours for federal agencies.
  • Inventory all SD-WAN systems: Identify every Cisco SD-WAN controller and manager deployment in your environment, including those managed by third parties or MSPs.
  • Hunt for unauthorized peering events: Check SD-WAN logs for any control connection peering event, as this is the primary indicator of initial access via CVE-2026-20127. Look for unexpected peers that do not match your configured System IPs.
  • Audit SSH keys and accounts: Review /home/root/.ssh/authorized_keys and /home/vmanage-admin/.ssh/authorized_keys for unauthorized entries. Check that PermitRootLogin is not set to "yes" in /etc/ssh/sshd_config.
  • Check for log anomalies: Look for abnormally small logs (0-2 bytes), absent bash_history or cli-history, evidence of log truncation, and creation/deletion patterns for user accounts that do not correspond to legitimate administrative activity.
  • Audit /var/log/auth.log: Search for entries showing "Accepted publickey for vmanage-admin" from unknown or unauthorized IP addresses. Cross-reference against configured System IPs in the SD-WAN Manager web UI.
  • Implement Cisco's hardening guide: Follow the Cisco Catalyst SD-WAN Hardening Guide for defense-in-depth configuration. Restrict management plane access, segment control plane from data plane, and enforce strict peer authentication policies.
analyst note

Neither the Five Eyes agencies nor Cisco publicly attributed UAT-8616 to a specific nation-state. However, the operational characteristics — three years of silent exploitation, surgical version downgrade tradecraft, targeting of critical infrastructure across allied nations, and the unprecedented Five Eyes coordination — are consistent with state-sponsored espionage by a top-tier adversary. The fact that this disclosure occurred during a U.S. Department of Homeland Security shutdown, with CISA operating under reduced staffing and without pay, adds operational context. CISA's executive assistant director stated that despite the shutdown, the agency "remains fully committed to protecting federal networks from a malicious separate threat" — language that underscores the severity with which this campaign is being treated at the highest levels of government.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile