Five Eyes nations, led by Australia's ASD, have issued an urgent warning for a critical zero-day (CVE-2026-20127) in Cisco's SD-WAN products. The flaw, actively exploited since 2023 by a sophisticated actor, allows for complete network takeover and impacts critical infrastructure globally.
This week’s tech earnings put Nvidia back under the spotlight, as blockbuster AI-driven results clashed with a skittish market that still sold the stock off—capturing the tension between hard data on acceleration and deep-seated fears of an AI overreach.
Hazeldenes, a major Australian poultry processor, has halted production after a cyberattack, triggering chicken shortages across Victoria and underscoring how digital threats can disrupt the nation’s food supply chain. The incident remains under investigation.
Five Eyes nations, led by Australia's ASD, have issued an urgent warning for a critical zero-day (CVE-2026-20127) in Cisco's SD-WAN products. The flaw, actively exploited since 2023 by a sophisticated actor, allows for complete network takeover and impacts critical infrastructure globally.
Cyber News Centre's cyber update for 2nd March 2026: Cisco has confirmed a maximum-severity vulnerability in its Catalyst SD-WAN products is under active exploitation, prompting an urgent joint advisory from the Five Eyes intelligence alliance, including the Australian Signals Directorate.
Cisco is a multinational technology conglomerate that develops, manufactures, and sells networking hardware, software, telecommunications equipment and other high-technology services and products. Its SD-WAN solutions are widely used by enterprises and governments globally to connect and secure their networks.
Update: A critical, maximum-severity (CVSS 10.0) authentication bypass vulnerability, identified as CVE-2026-20127, has been actively exploited in Cisco Catalyst SD-WAN products since at least 2023. The flaw, first discovered by the Australian Signals Directorate (ASD), allows unauthenticated, remote attackers to gain administrative privileges and full control over an affected network. The threat actor, tracked as UAT-8616, is described as highly sophisticated and has been leveraging the zero-day to create rogue peer devices within victims' networks, establishing persistent access.
The attack chain involves exploiting CVE-2026-20127 for initial access, then using a previously known vulnerability (CVE-2022-20775) to escalate privileges to root. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive mandating federal agencies to patch the vulnerability immediately.
The joint advisory from the Five Eyes nations, the US, UK, Canada, Australia, and New Zealand, underscores the global reach and severity of the threat, which impacts on-premise and cloud-hosted SD-WAN deployments. Cisco has released security updates and a hardening guide, urging all customers to apply them without delay and hunt for evidence of compromise.
"Malicious cyber threat actors are targeting Cisco Catalyst SD-WAN used by organizations globally," the UK's NCSC said.
"These actors are compromising SD-WANs to add a malicious rogue peer and then conduct a range of follow-on actions to achieve root access and maintain persistent access to the SD-WAN."
The first of the two is CVE-2022-20775 (7.8), a path traversal vulnerability disclosed in September 2022 affecting the SD-WAN's command line interface, allowing for privilege escalation.
The second is CVE-2026-20127 (10.0), a max-severity bug fresh off the press this week. Classed as an improper authentication flaw, the issue affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vSmart and SD-WAN vManage respectively.
The latter appears to be the biggie, not just because of the perfect 10 CVSS, but because successfully exploiting it grants hackers admin rights. Cisco said that cyberbaddies could also access NETCONF and reconfigure the SD-WAN fabric at their whim.
Why it Matters: The three-year exploitation of a critical Cisco vulnerability by a sophisticated actor highlights a significant failure in the security of widely deployed networking infrastructure, with Australia at the forefront of discovery. The involvement of the Australian Signals Directorate in identifying the flaw underscores the nation's critical role in global cybersecurity intelligence.
For Australian organizations, particularly in government and critical infrastructure sectors that rely on Cisco's SD-WAN technology, this incident poses a direct and severe threat to national security and economic stability.
The ability of an attacker to gain persistent, root-level access allows for espionage, data exfiltration, and the potential disruption of essential services. This breach serves as a another reminder that even trusted, enterprise-grade equipment can harbor long-term, undiscovered vulnerabilities, making proactive threat hunting and rapid patching essential for maintaining a secure posture.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
Hazeldenes, a major Australian poultry processor, has halted production after a cyberattack, triggering chicken shortages across Victoria and underscoring how digital threats can disrupt the nation’s food supply chain. The incident remains under investigation.
Canadian transcription firm VIQ Solutions has admitted to a significant data breach after subcontracting work to an Indian firm, e24 Technologies, exposing highly sensitive Australian federal and state court files. The incident, raises major national security concerns
Sydney-based fintech youX has confirmed a massive data breach exposing the personal and financial details of 444,538 Australian borrowers. An unsecured database left 141GB of data, including loan applications, driver's licences, and residential addresses, accessible for at least 10 months.
A critical pre‑authentication remote code execution flaw in BeyondTrust’s Remote Support and Privileged Remote Access allows unauthenticated attackers to run arbitrary commands on exposed appliances, enabling full system compromise and broad lateral movement.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
