Federal and international cyber agencies sounded the alarm yesterday, warning that sophisticated attackers are actively exploiting critical flaws in Cisco Catalyst SD‑WAN systems that allow remote takeover of management controls and manipulation of routing. By chaining the vulnerabilities, intruders can gain unauthenticated access to administrative accounts, insert rogue peers into SD‑WAN control planes, then escalate privileges to root for long‑term persistence. Officials are urging immediate inventories, emergency patching and deep forensic hunts to determine whether networks have already been compromised.
Feds Fire Off Emergency Directive
Yesterday, the U.S. Cybersecurity and Infrastructure Security Agency issued Emergency Directive 26‑03, adding CVE‑2026‑20127 and CVE‑2022‑20775 to its Known Exploited Vulnerabilities catalog and directing federal civilian agencies to inventory affected Cisco SD‑WAN systems, collect forensic artifacts, apply updates and hunt for evidence of compromise, according to CISA.
How Attackers Are Getting In
Cisco Talos reports that the intrusions start with an authentication‑bypass zero‑day tracked as CVE‑2026‑20127, which lets an unauthenticated actor log in as a high‑privileged internal account and use NETCONF to alter SD‑WAN fabric settings. Talos traces the cluster it calls UAT‑8616 to follow‑on tradecraft that downgrades software in order to exploit a 2022 path‑traversal bug, CVE‑2022‑20775, to escalate to root, then restores the original version to help cover the attackers’ tracks, according to Cisco Talos.
Cisco’s Fix: Patch Now Or Stay Exposed
Cisco has published security advisories listing affected releases and fixed versions, and the company notes there are no workarounds available, upgrading to the patched releases is the only full remediation, according to Cisco. The vendor also released a hardening guide and indicators of compromise to help defenders spot unauthorized peering events and evidence of downgrades.
What Network Teams Need To Do Right Now
Network operators are being told to immediately inventory SD‑WAN manager and controller instances, capture virtual snapshots and external logs, apply the vendor updates, rotate keys and hunt for signs of unauthorized peers, unexpected user accounts or evidence of version downgrades, per guidance from CISA. The FBI Cyber Division has echoed that call in a social post and urged teams to “fully patch Cisco SD-WAN systems and hunt for evidence of compromise,” as per FBI Cyber Division.
🚨 Malicious cyber actors are targeting and compromising Cisco SD-WAN systems deployed by organizations worldwide.
— FBI Cyber Division (@FBICyberDiv) February 25, 2026
These actors have exploited a previously undisclosed authentication bypass vulnerability, CVE-2026-20127, for initial access before escalating privileges using… pic.twitter.com/HlvjudEK6G
Legal And Compliance Heat For Agencies
The emergency directive is mandatory for federal civilian agencies and comes with compressed reporting timelines: FedRAMP has instructed cloud providers and agency customers to inventory in‑scope systems and submit status reports under ED 26‑03 by 5:00 PM ET tomorrow, according to FedRAMP. Agencies that identify signs of compromise are directed to follow incident reporting procedures and coordinate with CISA and partner agencies.
What To Watch As Scans Ramp Up
Researchers warn defenders to expect increased scanning activity and opportunistic exploitation once proof‑of‑concept code appears, and intelligence partners have released a technical hunt guide to help with identification of compromise, according to the NSA and other partners, including Cisco Talos. For most organizations, the prudent assumption is that internet‑exposed SD‑WAN management interfaces should be treated as potentially compromised until defenders can prove otherwise.
