Introduction
A critical Cisco SD-WAN zero-day vulnerability, tracked as CVE-2026-20127, with a CVSS score of 10.0, has been exploited since 2023, allowing unauthenticated remote attackers to bypass authentication and gain admin access to affected products according to BleepingComputer. This vulnerability poses a significant threat to network integrity and availability, given the widespread use of Cisco SD-WAN solutions in enterprise environments for managing and orchestrating WAN infrastructure. Meanwhile, UAT-10027, a previously undocumented threat activity cluster, is targeting the US education and healthcare sectors with a never-before-seen backdoor called Dohdoor as reported by The Hacker News. Additionally, severe vulnerabilities have been discovered in EV2GO and SWITCH EV charging systems, which could allow attackers to impersonate charging stations, hijack sessions, and manipulate data sent to the backend according to CISA advisories and ICS advisory for SWITCH EV. These threats have significant potential for disruption and exploitation, underscoring the need for immediate action to protect critical infrastructure.
Cisco SD-WAN Zero-Day Under Active Exploitation
The CVE-2026-20127 zero-day vulnerability in Cisco SD-WAN allows unauthenticated remote attackers to bypass authentication and gain admin access to affected products, including Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) as explained by The Hacker News. This bug enables attackers to compromise controllers and add malicious rogue peers to targeted networks. Given its CVSS score of 10.0, this vulnerability is considered critical and requires immediate patching to prevent exploitation.
To understand the severity of CVE-2026-20127, it's essential to grasp how SD-WAN operates. SD-WAN solutions are designed to simplify branch office networking by providing centralized management, improved network visibility, and enhanced security features. However, vulnerabilities like CVE-2026-20127 can undermine these benefits by allowing unauthorized access to the very core of the network management system. Attackers could potentially use this vulnerability to not only gain administrative control but also to move laterally within the network, exploiting other weaknesses or stealing sensitive data.
UAT-10027 Targets US Education and Healthcare
UAT-10027, a previously undocumented threat activity cluster, has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the US since at least December 2025 according to The Hacker News. The end goal of these attacks is to deliver a never-before-seen backdoor called Dohdoor, which utilizes DNS-over-HTTPS (DoH) for its operations. This campaign highlights the increasing threat landscape faced by critical sectors such as education and healthcare, where sensitive data and systems are at risk.
The targeting of US education and healthcare sectors by UAT-10027 is particularly concerning due to the sensitive nature of the data handled by these organizations. Educational institutions and healthcare providers often possess extensive personal, financial, and medical records, making them lucrative targets for cybercriminals seeking valuable data for extortion, identity theft, or resale on the dark web. Moreover, the disruption of services in these sectors can have immediate and severe consequences, including compromised patient care and educational continuity.
Critical Vulnerabilities in EV2GO and SWITCH EV Charging Systems
Multiple critical vulnerabilities were discovered in EV2GO and SWITCH EV charging systems, which could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic to cause large-scale denial of service, and manipulate data sent to the backend as detailed by CISA and for SWITCH EV. The affected products include all versions of EV2GO ev2go.io and SWITCH EV swtchenergy.com. These vulnerabilities, including missing authentication for critical functions, improper restriction of excessive authentication attempts, insufficient session expiration, and insufficiently protected credentials, pose significant risks to the security and reliability of electric vehicle charging infrastructure.
The impact of these vulnerabilities extends beyond the immediate risk of data manipulation or service disruption. As the world transitions towards more sustainable energy sources, including electric vehicles, the security of charging infrastructure becomes increasingly critical. A compromised charging system could not only lead to financial losses but also undermine trust in the technology, potentially slowing adoption rates. Furthermore, the interconnected nature of modern infrastructure means that vulnerabilities in one sector can have ripple effects across others, emphasizing the need for a holistic approach to cybersecurity.
Recommendations and Takeaways
To mitigate these threats, organizations should:
- Immediately patch the Cisco SD-WAN zero-day vulnerability (
CVE-2026-20127) to prevent exploitation. This involves updating Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager to the latest versions that include the security fix. - Implement defensive measures such as minimizing network exposure, using secure remote access methods (e.g., VPNs), and isolating control system networks from business networks as recommended by CISA.
- Be aware of the UAT-10027 threat activity cluster targeting US education and healthcare, and take steps to detect and prevent Dohdoor backdoor infections. This includes monitoring for unusual DNS-over-HTTPS activity and implementing robust endpoint detection and response tools.
- Address vulnerabilities in EV2GO and SWITCH EV charging systems by following vendor advisories and implementing security best practices for control systems as suggested by CISA's ICS webpage. This may involve segregating charging infrastructure from other networks, enforcing strong authentication mechanisms, and regularly updating software to the latest secure versions.
- Conduct regular security audits and penetration testing to identify and remediate vulnerabilities before they can be exploited.
- Implement a defense-in-depth strategy that includes firewalls, intrusion detection systems, and encryption to protect against various types of attacks.
By taking proactive measures, organizations can reduce their risk of falling victim to these critical threats and protect their critical infrastructure from exploitation. Staying informed about the latest cybersecurity threats and advisories is crucial for maintaining a robust defense against evolving cyber threats. As the cyber landscape continues to evolve, vigilance, preparedness, and collaboration among stakeholders will be key to securing our increasingly interconnected world.