• Immediate Action Required: CISA Issues Emergency Directive to Secure Cisco SD-WAN Systems WASHINGTON - The Cybersecurity and Infrastructure Security Agency (CISA) today issuedEmergency Directive (ED) 26-03: Mitigate Vulnerabilities in Cisco SD-WAN SystemsandSupplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems, in response to a significant cyber threat targeting federal networks utilizing certain Cisco systems and software • CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require immediate action • “CISA remains unwavering in its commitment to protect our federal networks from malicious cyber threat actors despite the multi-week government shutdown of the Department of Homeland Security (DHS),” saidCISA Acting Director Dr • “Operational disruptions create strain and uncertainty, give our adversaries unnecessary advantages, and forces our frontline cybersecurity experts to carry out critical work without pay • Based on collaboration with international partners and CISA’s forensic analysis, the ease with which these vulnerabilities can be exploited demands

Article Summaries:

  • Immediate Action Required: CISA Issues Emergency Directive to Secure Cisco SD-WAN Systems WASHINGTON - The Cybersecurity and Infrastructure Security Agency (CISA) today issued Emergency Directive (ED) 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems and Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems, in response to a significant cyber threat targeting federal networks utilizing certain Cisco systems and software. CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require
  • Cisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected system by sending a crafted request to an affected system. Successful exploitation may allow the attacker to gain administrative privileges on the Controller as an internal, high privileged, non-root, user account. Talos clusters this exploitation and subsequent post-compromise activity as “UAT-8616” whom we assess with high confidence
  • Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks. CVE-2026-20127 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and SD-WAN Cloud installations. Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) for reporting the vulner

Sources: