Security In Practice | CyOps Consulting Team

Threat actor cluster UAT-8616 has operated in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Manager (formerly vManage) environments since at least 2023. CVE-2026-20127 scores 10.0 on the CVSS (Common Vulnerability Scoring System) scale: an authentication bypass granting access to vSmart and vManage without valid credentials. Patching removes the access vector. It does not remove artifacts installed during a minimum three-year dwell period.

CISA (Cybersecurity and Infrastructure Security Agency) Emergency Directive 26-03, issued 25 February 2026, makes that distinction explicit. The directive does not stop at requiring patching within 48 hours. It mandates external log storage and threat hunting. Standard patch advisories do not carry that requirement. This one does, because the risk does not end at the access vector.

This article maps the UAT-8616 intrusion chain, identifies where standard detection fails, and provides a tiered response workflow for the current window.

Why patching is not enough

Patching a CVSS 10.0 authentication bypass is the correct response to a CVSS 10.0 authentication bypass. In most incidents, closing the initial access vector resolves the risk. CVE-2026-20127 does not fit that pattern.

UAT-8616 did not stop at initial access. Cisco reports that after gaining entry, the actor installed persistence: rogue peer additions, local account creation, and SSH (Secure Shell) key implants. Those artifacts exist in compromised environments independently of the vulnerability that enabled entry. Patching removes the mechanism the attacker used to get in. It does not remove what the attacker left behind. These are distinct problems. Patch management workflows address only the first.

The version downgrade and restore technique compounds the detection problem. SOC Prime describe that UAT-8616 downgraded controller software to re-enable CVE-2022-20775, a path traversal vulnerability, exploited it for root-level access, then restored the original software version. Any vulnerability scanner or CMDB (Configuration Management Database) checking the current software version will report a clean, compliant release, because the device is running one. The scan result is accurate. It answers a different question than the one that matters operationally.

UAT-8616 has been operational since at least 2023. Penligent's operational analysis confirms the failure mode directly: patching without investigation leaves the exposure window unresolved. Any environment where SD-WAN has been internet-exposed without continuous log coverage at any point since 2023 cannot confirm clean state from software version checks alone. This is the confirmed operational record, not a theoretical risk.

The intrusion chain and its log artifacts

Understanding where to look requires mapping each stage of the UAT-8616 intrusion chain to the specific log artifact it produces. The sequence below is drawn from Cisco Talos and CISA source reporting.

1. Peering authentication bypass (CVE-2026-20127): A crafted request authenticates the attacker as a high-privileged internal account without valid credentials. Log artifact: auth.log on vSmart; control-connection-state-change event.

2. Rogue peer addition: An attacker-controlled peer is registered in the SD-WAN fabric. Log artifact: vManage peering event log; fabric topology change record.

3. NETCONF session establishment: The attacker opens a session with full fabric-wide configuration access. Log artifact: NETCONF session log on vManage.

4. Software version downgrade: Controller software is rolled back to a version vulnerable to CVE-2022-20775. Log artifact: version change log on vManage, timestamped.

5. CVE-2022-20775 exploitation (path traversal to root): The path traversal vulnerability is exploited to obtain a root-level shell. Log artifact: system-level file access events, if auditd is enabled.

6. Persistence installation: Local account creation and SSH key implant are installed. Log artifact: /etc/passwd delta; authorized_keys modification.

7. Version restore: Original software version is restored, removing the version-based detection signal. Log artifact: a second version change entry within a short timeframe of the Stage 4 entry on the same controller.

Every artifact above lives on vSmart or vManage. In most organisations, neither device feeds the SIEM.

The log gap

The gap is an ownership problem, not a technical one. SD-WAN is procured and operated as network infrastructure. Security teams own the SIEM pipeline for firewalls and endpoints. Network teams own SD-WAN. No team owns the log pipeline for vManage and vSmart events. Both Penligent and SOC Prime indicate log export from these components is configurable; the capability exists. The ownership and operational process to exercise it do not. UAT-8616 operated undetected for a minimum of three years in environments running exactly this configuration. That is the documented operational history.

CISA ED 26-03 addresses this directly. The directive mandates external log storage as a required remediation action, not a recommendation. That is not procedural housekeeping. It is an acknowledgement that the logs needed to detect this activity do not currently exist where they need to be.

The Five Eyes co-sealed threat hunt guide provides artifact-level query patterns for identifying UAT-8616 activity. Those queries depend on log sources that are typically absent from SIEM pipelines. For organisations without vManage and vSmart logs already centralised, the hunt cannot begin until log onboarding is complete. An absence of findings under those conditions is not a clean result. It is a data gap.

The version-based detection blind spot

Vulnerability management programmes scan current state. The downgrade and restore cycle is built to defeat that method as noted by SOC Prime. Once the version is restored, scanners report clean, the CMDB reports clean, and the patch compliance dashboard shows green. All of those results are technically accurate. None answer the question that determines compromise.

Local accounts and SSH key implants installed during the downgrade window are not version-dependent artifacts. Restoring the software version removes the detection signal, not the persistence. The two are separate.

Cisco states that the only reliable detection signal is timestamped version change history: two version change entries within a short timeframe on the same controller reveal the sequence. Most organisations do not retain this history for SD-WAN controllers according to Penligent and SOC Prime.

Response workflow

The following tiers are structured around organisational lead time, not severity. Patching and investigation run in parallel throughout.

This week: triage and patch

Inventory all vSmart and vManage instances. Confirm running software versions against Cisco's published advisory and patch to the fixed release immediately. This step is non-negotiable and independent of investigative findings.

Determine whether the management interface, including the vManage UI and NETCONF port 830, is reachable from untrusted networks. If it is, move directly to patch plus investigate. Do not wait for further triage. Internet exposure combined with deployment age since 2023 is the primary escalation trigger.

Do not close the patch ticket. Open a parallel investigation task: Verify pre-patch integrity of SD-WAN controllers. Patch closure does not confirm pre-patch clean state.

This quarter: log onboarding and hunt execution

Log onboarding is a prerequisite for executing any hunt queries, not a post-incident improvement. The minimum required sources are auth.log, NETCONF session logs, version change logs, peering event logs, and control-connection-state-change. This work requires coordination between network and security teams that may not share a workflow. Explicitly name that dependency and assign ownership in the project plan before proceeding.

Once logs are available, work through the following checklist, drawn from the Five Eyes co-sealed threat hunt guide:

• Review control-connection-state-change events for unexpected peer additions from 2023 to the present.

• Review version change logs for downgrade and restore sequences: two version change entries within a short timeframe on the same device.

• Audit /etc/passwd and authorized_keys on vManage and vSmart for accounts and keys absent from the authorised baseline.

• Review NETCONF session logs for sessions originating from unexpected source IPs.

• Correlate auth.log entries against known administrative accounts and expected IP ranges.

Where log history does not exist for the exposure window, the absence of data is a risk signal. It is not evidence of clean state. Partial reconstruction using network flow data, AAA logs, or change management records is preferable to declaring clean state from an absence of evidence.

6 to 12 months: architecture

• Reclassify vManage and vSmart as Tier 1 security-relevant infrastructure. These devices hold NETCONF access to the entire WAN fabric. They belong in the SIEM pipeline alongside firewalls.

• Isolate SD-WAN management interfaces from internet access at the network layer. This is standard management plane security applied to a device class that was previously outside its scope.

• Establish a version change baseline for vManage and vSmart. Any version change outside a documented maintenance window is an alert-worthy event according to SOC and Cisco. This directly mitigates the version-based detection gap.

Escalation criteria

Escalate to patch plus investigate if any one of the following applies. The logic is OR, not AND. A single criterion is sufficient to require investigation.

• SD-WAN management interfaces have been reachable from untrusted networks at any point since 2023.

• Centralised log collection from vManage or vSmart has not been in place continuously since 2023.

• The deployment predates 2023, placing it within the confirmed UAT-8616 operational window.

• The organisation cannot produce a verified baseline for authorised accounts and SSH keys on SD-WAN controllers.

Patch and close is defensible only where all four criteria can be ruled out with affirmative evidence. Assumption and the absence of contrary evidence do not meet that standard.

Final Thoughts

A version scan showing clean software is evidence of clean software. It is not evidence of clean infrastructure.

The investigation window is time-bounded. Logs degrade or are overwritten; incident response context fades. The acute response window for CVE-2026-20127 is approximately two to three weeks from the disclosure date. Organisations that patched without investigating carry unresolved exposure on a timeline that does not reset when the advisory drops off the news cycle.

UAT-8616 remains unattributed in the source reporting. The operational pattern, targeting network control plane infrastructure for long-term persistence rather than disruptive effect, is consistent with a nation-state-aligned actor. Attribution updates from Cisco Talos and Five Eyes agencies are the authoritative sources for any reclassification.

The broader implication is not specific to this vendor or this CVE. SD-WAN controllers, network automation platforms, and NETCONF-accessible devices share three characteristics that make them reliable persistence targets: fabric-wide configuration access, absent SIEM coverage, and classification as network infrastructure rather than security-relevant systems. UAT-8616 exploited all three. The structural conditions that enabled a minimum three-year undetected dwell period remain in place in most enterprise environments.

Brought to by the CyOps Consulting Team. Discover our most recent publication.

In Short

• Patching does not resolve prior compromise. UAT-8616 installed persistence artifacts during a confirmed minimum three-year dwell period: rogue peers, local accounts, and SSH key implants. The patch removes the initial access vector. Artifacts installed before the patch remain present.

• Version scanning produces a structurally false clean result. UAT-8616 downgraded controller software to exploit CVE-2022-20775 for root access, then restored the original version. Any scanner or CMDB checking the current version will report compliant. Persistence artifacts from that window are not version-dependent and survive the restore.

• The log gap is an ownership problem, not a capability one. vManage and vSmart log export is configurable. The gap exists because network teams own SD-WAN and security teams own the SIEM, with no single team owning the log pipeline. The Five Eyes hunt queries cannot run until that onboarding is complete. The absence of logs is a risk signal, not evidence of clean state.

• Escalation logic is OR, not AND. Any one of four criteria, including internet exposure since 2023, absent centralised logging, deployment predating 2023, or no clean account and key baseline, is individually sufficient to require patch plus investigate. Patch and close is defensible only when all four can be ruled out with evidence.