Security
1 min read
  • security
  • infrastructure
  • kev
  • network-edge

CISA issues urgent guidance on ongoing global exploitation of Cisco SD-WAN systems

CISA and international partners say attackers are actively exploiting Cisco SD-WAN systems and urge organisations to inventory assets, patch immediately, collect forensic artifacts, and hunt for compromise.

Summary

CISA and international partners say attackers are actively exploiting Cisco SD-WAN systems and urge organisations to inventory assets, patch immediately, collect forensic artifacts, and hunt for compromise. CISA and partner agencies released guidance on 25 February 2026 warning of ongoing global exploitation affecting Cisco SD-WAN systems. The alert says threat actors have exploited CVE-2026-20127 for initial access, then used CVE-2022-20775 for privilege escalation and long-term persistence. CISA also added the relevant vulnerabilities to the Known Exploited Vulnerabilities Catalog and issued Emergency Directive 26-03 for US federal civilian agencies.

What happened

CISA and partner agencies released guidance on 25 February 2026 warning of ongoing global exploitation affecting Cisco SD-WAN systems. The alert says threat actors have exploited CVE-2026-20127 for initial access, then used CVE-2022-20775 for privilege escalation and long-term persistence. CISA also added the relevant vulnerabilities to the Known Exploited Vulnerabilities Catalog and issued Emergency Directive 26-03 for US federal civilian agencies.

Who is affected

  • organisations running Cisco SD-WAN systems
  • public-sector and enterprise network teams responsible for edge infrastructure
  • defenders who may need to validate whether exploitation preceded patching

Why it matters

This is the kind of network-edge event that deserves immediate attention because it combines active exploitation, privilege escalation, persistence, and formal emergency direction from CISA. The guidance also reinforces a broader pattern: edge infrastructure and management planes remain attractive targets when patching, hardening, and logging are uneven.

Assessment

This is the kind of network-edge event that deserves immediate attention because it combines active exploitation, privilege escalation, persistence, and formal emergency direction from CISA. The guidance also reinforces a broader pattern: edge infrastructure and management planes remain attractive targets when patching, hardening, and logging are uneven.

Key follow-on points to watch include:

  • whether follow-on advisories expand the list of observed tactics or affected product versions
  • whether incident disclosures begin attributing compromise to this exploitation cluster
  • whether organisations treat forensic collection and threat hunting as mandatory alongside patching
  • review whether the issue is relevant to your environment, suppliers, or exposed systems
  • patch, harden, or validate logging and monitoring coverage where applicable
  • monitor follow-on developments, especially whether follow-on advisories expand the list of observed tactics or affected product versions
  • whether incident disclosures begin attributing compromise to this exploitation cluster
  • whether organisations treat forensic collection and threat hunting as mandatory alongside patching

Further reading