{"id":15867,"date":"2026-02-25T22:52:31","date_gmt":"2026-02-25T22:52:31","guid":{"rendered":"https:\/\/newestek.com\/?p=15867"},"modified":"2026-02-25T22:52:31","modified_gmt":"2026-02-25T22:52:31","slug":"five-eyes-issue-emergency-directive-on-exploited-cisco-sd-wan-zero-day","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15867","title":{"rendered":"Five Eyes issue emergency directive on exploited Cisco SD-WAN zero-day"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Cybersecurity agencies across the Five Eyes alliance have issued an emergency directive<\/a> warning that a critical Cisco SD-WAN vulnerability is being actively exploited to gain unauthorized access to federal networks.<\/p>\n

Officials confirmed that threat actors are targeting core SD-WAN control systems \u2014infrastructure that manages traffic across government and enterprise networks \u2014 and urged organizations to patch affected devices immediately.<\/p>\n

Cisco\u2019s Talos threat intelligence group disclosed that attackers have been exploiting a previously unknown vulnerability<\/a> affecting Cisco Catalyst SD-WAN controllers, tracked as CVE-2026-20127<\/a>. The flaw allows an unauthenticated attacker to bypass authentication controls and gain administrative-level access to vulnerable SD-WAN control plane components.<\/p>\n

Talos said the activity is associated with a threat cluster it tracks as UAT-8616, and that evidence suggests exploitation may have begun as early as 2023. Successful exploitation would allow attackers to manipulate controller-to-device communications, alter network configurations, and potentially establish persistent access within enterprise environments.<\/p>\n

Attackers are attempting active exploitation<\/h2>\n

Nick Andersen<\/a>, executive assistant director for cybersecurity at the US Cybersecurity and Infrastructure Security Agency, said during a media briefing that threat actors are actively attempting to access and potentially compromise federal networks through exploitation of the flaw, but did not identify which agencies were affected.<\/p>\n

He also warned that the activity appears to be increasing. \u201cWe continue to see the volumetric increase in both threat actor behavior and the extension of the attack surface that they\u2019re targeting,\u201d Andersen said, adding that CISA is in the early stages of remediating the vulnerability. \u201cIt\u2019s a far-reaching activity that we\u2019ve seen and the persistent commitment of the cyber threat actor to both take advantage of SD-WAN and other technologies sort of continues to evolve within the space.\u201d<\/p>\n

CISA is not currently attributing the activity to a specific threat actor, Andersen noted.<\/p>\n

Software updates available<\/h2>\n

SD-WAN controllers play a central role in orchestrating traffic across distributed enterprise networks, including branch offices and cloud environments. Compromise at the controller level could provide attackers with broad visibility and control across large portions of an organization\u2019s network infrastructure.<\/p>\n

In a separate security advisory, Cisco confirmed the vulnerability<\/a> and released software updates to address it. According to the company, the flaw stems from insufficient validation of authentication requests within the SD-WAN peering process. An attacker sending specially crafted traffic could gain unauthorized access to the system and interact with internal interfaces.<\/p>\n

Cisco said there are no workarounds for the vulnerability and urged customers to apply available patches immediately. The company also recommended reviewing system logs, validating controller integrity, and implementing additional hardening measures where possible.<\/p>\n

CISA and other Five Eyes agencies advise organizations operating Cisco SD-WAN systems to prioritize patch deployment and conduct thorough compromise assessments to determine whether exploitation has already occurred.<\/p>\n

CISA and the authoring organizations strongly urge network defenders to take the following steps immediately:<\/p>\n