CISA and International Partners Warn of Major Cisco SD-WAN Vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA), along with international partner agencies, has issued an alert regarding active compromise of Cisco Catalyst SD-WAN systems.

According to the statement, malicious actors “have been observed exploiting a previously undisclosed authentication bypass vulnerability, CVE-2026-20127, for initial access before escalating privileges using CVE-2022-20775 and establishing long-term persistence in Cisco SD-WAN systems.”

The alert strongly urges network defenders to immediately:

1. Inventory all in-scope Cisco SD-WAN systems.
2. Collect artifacts, including virtual snapshots and logs of SD-WAN systems to support threat hunt activities.
3. Fully patch Cisco SD-WAN systems with available updates.
4. Hunt for evidence of compromise.
5. Concurrently review Cisco’s latest security advisories and implement Cisco’s SD-WAN Hardening Guidance.

CISA has also issued the following directives to help address malicious activity involving vulnerable Cisco SD-WAN systems:

• Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems
• Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems 

Read more at CISA.