"This is no longer targeted activity that was described previously, but now internet-wide and growing. In total, the watchTowr proactive threat intelligence team has seen exploitation attempts from numerous unique IP addresses and observed threat actors deploying webshells. The largest spike in activity occurred on March 4, with attacks widely spread across various regions worldwide, and U.S.-based areas saw slightly higher activity than others."
"We expect activity to continue as part of the typical long tail of exploitation, as more threat actors become involved. With mass and opportunistic exploitation at play, any exposed system should be considered compromised until proven otherwise."
"One of them is CVE-2026-20127, which had been exploited as a zero-day in combination with an older vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on systems. Cisco Talos linked the attacks to UAT-8616, a highly sophisticated threat actor of unspecified origin and motivation that has been active since at least 2023."
WatchTowr reports escalating exploitation of Cisco Catalyst SD-WAN vulnerabilities, particularly CVE-2026-20127, which transitioned from targeted zero-day attacks to widespread internet-wide activity. The vulnerability was initially combined with CVE-2022-20775 to bypass authentication and establish persistence. Cisco Talos attributed initial attacks to UAT-8616, a sophisticated threat actor active since 2023. Exploitation attempts now originate from numerous unique IP addresses with threat actors deploying webshells. Peak activity occurred March 4, with attacks distributed globally and higher concentration in U.S. areas. Cisco identified two additional vulnerabilities, CVE-2026-20128 and CVE-2026-20122, exploitable by authenticated attackers for privilege escalation. Security experts warn that exposed systems should be considered compromised and expect continued exploitation as more threat actors participate.
#cisco-catalyst-sd-wan-vulnerabilities #zero-day-exploitation #threat-actor-activity #cybersecurity-threats #privilege-escalation
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]