Cisco Talos disclosed that a highly sophisticated threat actor exploited a critical authentication bypass vulnerability in Cisco SD-WAN infrastructure for at least three years before security researchers discovered the zero-day attacks.

The vulnerability, tracked as CVE-2026-20127 with a maximum CVSS severity score of 10.0, allowed unauthenticated remote attackers to gain administrative privileges and add malicious rogue peers to enterprise networks.

Cisco Talos tracks the exploitation activity to UAT-8616, assessing with high confidence that a sophisticated cyber threat actor conducted the campaign targeting network edge devices to establish persistent footholds into high-value organiza...