AISEC > Security News > Zero Day > Cisco SD-WAN Zero-Day Exploited 3 Years Undetected
February 26, 2026 #zero-day Source: Dark Reading 2 min read · 543 words

Cisco SD-WAN Zero-Day Under Exploitation for 3 Years

Нульова вразливість Cisco SD-WAN експлуатується протягом 3 років

Three Years of Silence

Picture this: a vulnerability so stealthy that a sophisticated threat actor has been actively exploiting it for approximately three years. Not months. Years. And nobody really noticed.

That's the reality facing Cisco customers right now, according to Dark Reading's reporting on CVE-2026-20127—a maximum-severity zero-day in Cisco SD-WAN infrastructure that's been under active exploitation with what security researchers are describing as minimal forensic evidence left behind.

The timeline is the first thing that hits you. We're not talking about a fresh discovery with immediate patching. This vulnerability has been a working tool in a skilled threat actor's arsenal since approximately 2023. The real question is: how many organizations are still running vulnerable instances without even knowing it?

The Discovery

Dark Reading first reported the vulnerability after it came to light through what appears to be routine threat intelligence operations. The disclosure itself represents a significant moment—researchers finally connected the dots on a campaign that had been flying under the radar precisely because the attacker left almost no forensic breadcrumbs.

That's extraordinarily rare.

Most zero-day exploits eventually surface because they leave traces. Log entries. Network artifacts. Something. But this one? Whoever's behind it understands SD-WAN infrastructure deeply enough to operate with near-surgical precision. The minimal forensic evidence isn't luck. It's skill.

Technical Analysis

CVE-2026-20127 is classified as maximum severity, which in CVSS terms means we're talking remote code execution, authentication bypass, or similar—the kind of vulnerability that lets an attacker do essentially whatever they want on an affected system.

SD-WAN solutions sit at a critical junction in network architecture. They're the intelligent traffic managers sitting between branch offices and data centers, handling authentication, routing decisions, and security policies. Compromise one, and you're looking at potential visibility into the entire network traffic flow. Maybe more.

The attacker's three-year runway suggests they weren't just poking around. This was methodical. Long-term access. Persistent intelligence gathering. The kind of campaign that benefits from time and patience rather than flashy exploitation techniques.

Damage Assessment

Here's what we don't know yet: how many organizations were actually compromised?

Cisco hasn't released comprehensive victim numbers, and frankly, that's concerning. Given the three-year window and the sophistication required to exploit this without detection, the number is probably higher than anyone's comfortable discussing publicly right now. Cisco customers—especially enterprises using SD-WAN as backbone infrastructure—need to assume they're potentially in scope.

And then there's the intelligence angle. If this threat actor had three years of quiet access to SD-WAN infrastructure at major organizations, they had three years to steal data, establish persistence, monitor communications, or position themselves for lateral movement.

This is particularly nasty because SD-WAN isn't some peripheral system. It's foundational.

Mitigation

Cisco has released patches—that's the immediate action item. Organizations running affected SD-WAN versions need to prioritize updates now, not next week.

But patches alone aren't enough here. Given the three-year exploitation window, assume that if you were compromised, the attacker may have already established persistence mechanisms beyond just the zero-day itself. Treat this as a potential breach scenario: conduct forensic analysis of SD-WAN logs, check for unusual administrative access, review traffic flows for data exfiltration patterns, and verify the integrity of network configurations.

Dark Reading's reporting on this makes one thing clear: the vulnerability disclosure process caught this late. That's a hard truth for the security industry to sit with, but it's the one that matters most going forward.

Read original article →

// FAQ

What is CVE-2026-20127 and how severe is it?

CVE-2026-20127 is a maximum-severity zero-day vulnerability in Cisco SD-WAN that allows remote code execution or authentication bypass. It's been actively exploited for approximately 3 years by a sophisticated threat actor.

How long has this Cisco SD-WAN vulnerability been exploited?

The vulnerability has been under active exploitation for approximately 3 years (since around 2023), making it one of the longest-undetected zero-day campaigns affecting SD-WAN infrastructure.

What should I do if I use Cisco SD-WAN?

Apply Cisco's security patches immediately, review SD-WAN logs for suspicious activity, verify administrative access patterns, and conduct forensic analysis to check for signs of prior compromise or persistence mechanisms.

// RELATED

#zero-day Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access 2026-02-26 #zero-day US Sanctions Russian Exploit Broker Operation Zero 2026-02-26 #zero-day Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 2026-02-25

Concerned about your project's security? Run an automated pentest with AISEC — AI-powered scanner with expert verification. Go to dashboard →