Cybersecurity agencies within the Five Eyes alliance have issued an urgent directive regarding a critical vulnerability in Cisco SD-WAN systems. This flaw is currently being exploited to gain unauthorized access to federal networks.
Officials have confirmed that threat actors are focusing on core SD-WAN control systems, which are crucial for managing traffic across government and enterprise networks. Organizations are strongly urged to patch their affected devices without delay.
Cisco’s Talos threat intelligence team has revealed that attackers are exploiting a previously unknown vulnerability in Cisco Catalyst SD-WAN controllers, identified as CVE-2026-20127. This vulnerability allows unauthenticated attackers to bypass authentication controls and gain administrative access to the vulnerable components of the SD-WAN control plane.
Talos has linked this activity to a threat cluster known as UAT-8616, noting that evidence suggests exploitation may have started as early as 2023. If successful, these attacks could enable malicious actors to manipulate communications between controllers and devices, alter network configurations, and create persistent access within enterprise environments.
Attackers are attempting active exploitation
Nick Andersen, the executive assistant director for cybersecurity at the US Cybersecurity and Infrastructure Security Agency (CISA), stated during a recent media briefing that threat actors are actively attempting to compromise federal networks through this vulnerability. However, he did not specify which agencies have been impacted.
Andersen also warned that the frequency of such attacks appears to be increasing. “We are observing a significant rise in both the behavior of threat actors and the expansion of their target areas,” he explained. He added that CISA is in the preliminary stages of addressing the vulnerability. “This is a widespread issue we are witnessing, and the commitment from cyber threat actors to exploit SD-WAN and similar technologies continues to evolve.”
Currently, CISA is not attributing this activity to any specific threat actor.
Software updates available
SD-WAN controllers are essential for orchestrating traffic across distributed enterprise networks, which include branch offices and cloud environments. A compromise at the controller level could provide attackers with extensive visibility and control over large segments of an organization’s network.
In a separate advisory, Cisco confirmed the vulnerability and has released software updates to mitigate the issue. The company indicated that the flaw arises from inadequate validation of authentication requests within the SD-WAN peering process. An attacker could send specially crafted traffic to gain unauthorized access and interact with internal interfaces.
Cisco has stated that there are no workarounds for this vulnerability and has urged customers to apply the available patches immediately. Additionally, they recommend reviewing system logs, validating controller integrity, and implementing further hardening measures whenever possible.
CISA, along with other Five Eyes agencies, advises organizations operating Cisco SD-WAN systems to prioritize the deployment of patches and conduct thorough assessments to determine if any exploitation has already taken place.
To assist network defenders, CISA and the authoring organizations strongly recommend the following immediate actions:
- Inventory all in-scope Cisco SD-WAN systems.
- Collect artifacts, including virtual snapshots and logs from SD-WAN systems.
- Patch Cisco SD-WAN systems, specifically for CVE-2026-20127 and CVE-2022-20775.
- Hunt for evidence of compromise.
- Implement measures as outlined in Cisco’s Catalyst SD-WAN Hardening Guide and review their blog.
Disclosure comes amid strain at CISA
The advisory comes at a time of increased scrutiny over network infrastructure security. Additionally, CISA is currently grappling with staffing reductions and operational constraints due to the ongoing Department of Homeland Security shutdown, which limits their resources as threat levels remain elevated.
Despite these challenges, Andersen affirmed that CISA remains committed to safeguarding federal networks from potential threats.
Emergency directives issued by CISA are mandatory for federal civilian agencies and are reserved for vulnerabilities that present significant and immediate risks. While this order specifically pertains to government networks, CISA often encourages private-sector organizations to adhere to similar remediation timelines when critical vulnerabilities are being actively exploited.
Shift toward control plane targets
The coordinated disclosures from Talos, Cisco, and government agencies illustrate a shift in attacker focus. Instead of solely targeting endpoints or user-facing applications, sophisticated groups are increasingly aiming for control-plane technologies such as SD-WAN, firewalls, and identity systems, which provide strategic access to networks.
Compromising SD-WAN infrastructure can yield considerable operational leverage. Since controllers manage routing, policy enforcement, and device authentication across distributed environments, an attacker with privileged access could disrupt traffic flows, redirect communications, or even move laterally into cloud and on-premises assets.
The disclosures also highlight longstanding concerns regarding the risk window between the discovery of a vulnerability and the deployment of patches. Talos noted that exploitation activity may have occurred before public awareness of the flaw, suggesting that attackers capitalized on the vulnerability prior to customers being informed.
