Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive warning of a “cyber threat actor’s ongoing exploitation of Cisco SD-WAN systems,” describing the activity as presenting a significant risk to federal civilian executive branch networks.
Analysis Summary
# Vulnerability: Active Exploitation of Cisco SD-WAN Systems
## CVE Details
- **CVE ID:** CVE-2026-20127 and CVE-2022-20775
- **CVSS Score:** Not explicitly listed in the article, but characterized as "Significant Risk" and "Unacceptable Risk" by CISA.
- **CWE:** Not specified (Technical descriptions suggest Authentication Bypass and Privilege Escalation flaws).
## Affected Systems
- **Products:** Cisco Catalyst Software Defined Wide Area Network (SD-WAN) systems.
- **Versions:** Affected versions are not fully detailed in the text, though a patch exists for the primary zero-day identified in late 2025.
- **Configurations:** Systems integrated into the SD-WAN management and control planes.
## Vulnerability Description
The flaws consist of multiple independent vulnerabilities in the Cisco SD-WAN architecture. The most critical component involves an authentication bypass or architectural flaw that allows an attacker to introduce a "rogue peer" into the network’s management or control plane. Once joined, this rogue device appears as a legitimate, temporary SD-WAN component. From this trusted position, attackers can conduct administrative actions, elevate privileges to **root**, overwrite arbitrary files, and access sensitive information.
## Exploitation
- **Status:** Exploited in the wild (Confirmed ongoing exploitation by advanced threat actors since 2023).
- **Complexity:** High (Requires specialized knowledge of SD-WAN control planes).
- **Attack Vector:** Network (Targeting management/control infrastructure).
## Impact
- **Confidentiality:** High (Access to sensitive information and control plane data).
- **Integrity:** High (Ability to overwrite arbitrary files and manage network configurations).
- **Availability:** High (Potential for comprehensive network disruption via management plane control).
## Remediation
### Patches
- Cisco has released patches for the primary zero-day vulnerability (referred to as identified in late 2025). Organizations should refer to the **Cisco Security Advisory** for specific software version updates.
### Workarounds
- The article does not list specific workarounds. Immediate investigation and application of official patches are the primary recommended actions.
## Detection
- **Indicators of Compromise:** Presence of unknown or temporary "rogue peers" joined to the SD-WAN management/control plane.
- **Detection Methods:**
- Reviewing system logs for unauthorized root access.
- Auditing for tampered logging or monitoring processes.
- Utilizing the Australian Signals Directorate’s **"Hunt Guide"** specifically designed for these vulnerabilities.
## References
- CISA Emergency Directive (ED 26-03): hxxps://www.cisa[.]gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- Cisco Security Advisory: hxxps://sec.cloudapps.cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
- Australian Signals Directorate Hunt Guide: hxxps://www.cyber.gov[.]au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf
- UK NCSC Warning: hxxps://www.ncsc.gov[.]uk/news/exploitation-cisco-catalyst-sd-wans