Cybersecurity agencies across the Five Eyes alliance have issued an emergency directive warning that a critical Cisco SD-WAN vulnerability is being actively exploited to gain unauthorized access to federal networks.
Officials confirmed that threat actors are targeting core SD-WAN control systems —infrastructure that manages traffic across government and enterprise networks — and urged organizations to patch affected devices immediately.
Cisco’s Talos threat intelligence group disclosed that attackers have been exploiting a previously unknown vulnerability affecting Cisco Catalyst SD-WAN controllers, tracked as CVE-2026-20127. The flaw allows an unauthenticated attacker to bypass authentication controls and gain administrative-level access to vulnerable SD-WAN control plane components.
Talos said the activity is associated with a threat cluster it tracks as UAT-8616, and that evidence suggests exploitation may have begun as early as 2023. Successful exploitation would allow attackers to manipulate controller-to-device communications, alter network configurations, and potentially establish persistent access within enterprise environments.
Attackers are attempting active exploitation
Nick Andersen, executive assistant director for cybersecurity at the US Cybersecurity and Infrastructure Security Agency, said during a media briefing that threat actors are actively attempting to access and potentially compromise federal networks through exploitation of the flaw, but did not identify which agencies were affected.
He also warned that the activity appears to be increasing. “We continue to see the volumetric increase in both threat actor behavior and the extension of the attack surface that they’re targeting,” Andersen said, adding that CISA is in the early stages of remediating the vulnerability. “It’s a far-reaching activity that we’ve seen and the persistent commitment of the cyber threat actor to both take advantage of SD-WAN and other technologies sort of continues to evolve within the space.”
CISA is not currently attributing the activity to a specific threat actor, Andersen noted.
Software updates available
SD-WAN controllers play a central role in orchestrating traffic across distributed enterprise networks, including branch offices and cloud environments. Compromise at the controller level could provide attackers with broad visibility and control across large portions of an organization’s network infrastructure.
In a separate security advisory, Cisco confirmed the vulnerability and released software updates to address it. According to the company, the flaw stems from insufficient validation of authentication requests within the SD-WAN peering process. An attacker sending specially crafted traffic could gain unauthorized access to the system and interact with internal interfaces.
Cisco said there are no workarounds for the vulnerability and urged customers to apply available patches immediately. The company also recommended reviewing system logs, validating controller integrity, and implementing additional hardening measures where possible.
CISA and other Five Eyes agencies advise organizations operating Cisco SD-WAN systems to prioritize patch deployment and conduct thorough compromise assessments to determine whether exploitation has already occurred.
CISA and the authoring organizations strongly urge network defenders to take the following steps immediately:
Inventory all in-scope Cisco SD-WAN systems.
Collect artifacts, including virtual snapshots and logs of SD-WAN systems.
Patch Cisco SD-WAN systems, including for CVE-2026-20127 and CVE-2022-20775.
Hunt for evidence of compromise.
Implement as outlined in Cisco’s Catalyst SD-WAN Hardening Guide and review their blog.
Disclosure comes amid strain at CISA
The disclosure comes amid heightened scrutiny of network infrastructure security. It also comes at a time when CISA, facing staffing reductions and operating under constraints tied to the ongoing Department of Homeland Security shutdown, is managing limited resources during a period of elevated threat activity.
CISA’s Andersen, however, said that despite the ongoing multi-week Department of Homeland Security shutdown, “CISA remains fully committed to protecting federal networks from a malicious separate threat.”
Emergency directives are binding on federal civilian agencies and are reserved for vulnerabilities that pose significant, immediate threats. Although the order applies specifically to government networks, CISA frequently encourages private-sector organizations to follow similar remediation timelines when critical vulnerabilities are being exploited in the wild.
Shift toward control plane targets
The coordinated disclosures from Talos, Cisco, and the government agencies highlight an ongoing shift in attacker priorities. Rather than targeting only endpoints or user-facing applications, sophisticated groups are increasingly pursuing control-plane technologies such as SD-WAN, firewalls, and identity systems that offer strategic network access.
Compromising SD-WAN infrastructure can yield high operational leverage. Because controllers manage routing, policy enforcement, and device authentication across distributed environments, an attacker with privileged access could disrupt traffic flows, redirect communications, or use the position to move laterally into cloud and on-premises assets.
The disclosures also reinforce long-standing concerns about the risk window between the discovery of a vulnerability and the deployment of patches. In this case, Talos indicated that exploitation activity may have preceded public disclosure by a significant period, suggesting that attackers were able to leverage the flaw before customers were aware of it.
No Responses