Cisco Catalyst SD-WAN Vulnerabilities Transition from Targeted Zero-Days to Global Mass Exploitation

WatchTowr warns of internet-wide exploitation of Cisco Catalyst SD-WAN vulnerabilities, with threat actors deploying webshells and escalating privileges.

By: AXL Media

Published: Mar 10, 2026, 7:20 AM EDT

Source: The information in this article was sourced from SecurityWeek

From Surgical Strikes to Internet-Wide Scans

The threat landscape for Cisco Catalyst SD-WAN users has shifted dramatically from targeted espionage to opportunistic mass exploitation. Exposure management firm WatchTowr reports that CVE-2026-20127—a vulnerability initially exploited as a zero-day—is now being actively probed by numerous unique IP addresses globally. While early attacks were attributed to a sophisticated threat actor tracked as UAT-8616, the current activity indicates that a broader range of cybercriminals has integrated the exploit into automated scanning tools. Security experts warn that the window for "targeted only" concern has closed, replaced by a "patch or be compromised" reality.

Sophisticated Attack Chaining and Persistence

The exploitation of CVE-2026-20127 is rarely a standalone event. Attackers are frequently chaining it with an older vulnerability, CVE-2022-20775, to achieve a complete system takeover. This combination allows unauthorized actors to bypass standard authentication, escalate their privileges to administrative levels, and establish long-term persistence on the affected devices. By deploying webshells, attackers ensure they maintain access even if certain system configurations are updated, effectively turning critical networking infrastructure into a permanent backdoor for data exfiltration or lateral movement into the broader enterprise network.

Global Spike in Activity and Regional Impact

Data from proactive threat intelligence teams shows a significant surge in exploitation attempts starting in early March 2026. The largest spike occurred on March 4, with attacks distributed across nearly every major global region. While the activity is worldwide, researchers noted a slightly higher concentration of attacks targeting U.S.-based infrastructure. Ryan Dewhurst, head of proactive threat intelligence at WatchTowr, emphasized that any exposed Cisco Catalyst SD-WAN system should now be treated as potentially compromised until a thorough forensic audit proves otherwise.