Critical Cisco SD-WAN vulnerability exploited since 2023

Critical Cisco SD-WAN vulnerability exploited since 2023

Briefly

"The zero-day in Cisco Catalyst SD-WAN is being actively exploited, according to Cisco's security arm Talos. The research team discovered that attackers are using this vulnerability to compromise controllers and connect malicious peers to target networks. The group UAT-8616, which is not yet known, has been exploiting the flaw since at least 2023."

"The problem lies in the peering authentication mechanism. According to the National Vulnerability Database (NVD), peering authentication is not working properly. This allows malicious actors to gain access to affected Cisco Catalyst SD-WAN Controllers via specially crafted requests. They then log in as an internal, privileged, non-root user account."

"This account gives attackers access to NETCONF. This access allows them to manipulate network configurations for the SD-WAN fabric. The severity of the vulnerability is also evident from the attack method: UAT-8616 would start by downgrading the SD-WAN solution to an older, vulnerable version. After gaining root access, the criminals restore the original firmware version to cover their tracks."