| The Cybersecurity and Infrastructure Security Agency (CISA) issued an Alert and Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems in response to cyber threat actors’ observed exploitation of Cisco Software-Defined Wide-Area Networking (SD‑WAN) systems. While only federal agencies are required to implement CISA Emergency Directives (EDs), the risks extend to every organization and sector using these systems. All organizations are strongly urged to review and adopt the actions outlined in the ED and associated resources. |
| CISA and partners have observed malicious cyber actors targeting and compromising Cisco SD-WAN systems of organizations, globally. These threat actors have been observed exploiting a previously undisclosed authentication bypass vulnerability, CVE-2026-20127, for initial access before escalating privileges using CVE-2022-20775 and establishing long-term persistence in Cisco SD-WAN systems. CISA has added both of these CVEs to its Known Exploited Vulnerabilities (KEV) Catalog. |
| In addition to the Alert and ED, CISA is also sharing additional resources to support mitigation efforts: |
| Cisco SD-WAN Threat Hunt Guide : Developed in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre, the US National Security Agency, and global partners, this guide supports network defenders in detecting and responding to malicious activity targeting SD-WAN systems. Cisco Catalyst SD-WAN Hardening Guidance: This guidance, developed by Cisco, provides actionable mitigations for network defenders to strengthen and secure SD-WAN networks. |
| CISA and partners strongly urge network defenders to immediately: |
| inventory all in-scope Cisco SD-WAN systems, collect artifacts, including virtual snapshots and logs off of SD-WAN systems to support threat hunt activities, fully patch Cisco SD-WAN systems with available updates, hunt for evidence of compromise, and concurrently review Cisco’s latest security advisories, Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability and Cisco Catalyst SD-WAN Vulnerabilities, and implement Cisco’s SD-WAN Hardening Guidance. |