- CISA issued Emergency Directive 26-03 on February 25, 2026, ordering all Federal Civilian Executive Branch (FCEB) agencies to immediately address actively exploited vulnerabilities in Cisco Catalyst SD-WAN systems.
- Two critical vulnerabilities — CVE-2026-20127 and CVE-2022-20775 — are being actively exploited by threat actors targeting federal networks right now, with one carrying a perfect 10 CVSS score.
- Agencies face a hard series of deadlines, including inventory submission, forensic artifact collection, patch application, and final remediation reporting — missing any one of these could leave federal infrastructure exposed.
- Non-federal organizations are not exempt — CISA strongly urges private sector entities running Cisco SD-WAN systems to apply the same mitigations immediately, as the same threat actors are targeting infrastructure globally.
- If your agency finds evidence of compromise, the response escalates significantly — including mandatory intrusion reporting to CISA and potential full infrastructure rebuilding after confirmed root access.
Federal agencies are being actively targeted through critical flaws in their Cisco SD-WAN systems, and CISA has issued an emergency directive demanding immediate action across every Federal Civilian Executive Branch agency in the United States.
The threat is not theoretical. CISA confirmed awareness of a live cyber threat campaign exploiting vulnerabilities in Cisco Catalyst SD-WAN infrastructure, which forms the backbone of wide-area networking for many federal agencies. Understanding the full scope of these vulnerabilities, the mandated deadlines, and the exact steps required to remediate them is essential for any network defender working in or around federal systems. NetSec.news covers critical advisories like this one to help defenders stay ahead of fast-moving threats.
Federal Agencies Are Under Attack Right Now
The core issue is straightforward but severe: threat actors have found ways to exploit Cisco Catalyst SD-WAN systems that federal agencies depend on for network connectivity, and they are using that access to move through networks right now.
- CISA confirmed active exploitation of Cisco SD-WAN vulnerabilities across federal networks
- The National Security Agency (NSA) co-signed the public alert alongside CISA, signaling the severity level
- Cisco Catalyst SD-WAN gives attackers broad access to wide-area network control if compromised
- FCEB agencies were given extremely tight deadlines — measured in days, not weeks
- Both federal and non-federal organizations running Cisco SD-WAN are at risk
SD-WAN systems are particularly attractive targets because they sit at the intersection of routing, traffic management, and network visibility. Compromising one doesn’t just give an attacker a foothold — it gives them leverage over everything flowing through that network.
CISA classified these vulnerabilities as posing an “unacceptable risk” to Federal Civilian Executive Branch agencies — language that triggers the emergency directive authority and removes any discretion agencies might otherwise have about response timelines. For more information on the impact of these vulnerabilities, you can read about a recent federal cyber defense leader’s resignation from a CISA program.
CVE-2026-20127: The Critical Flaw With a Perfect 10 CVSS Score
CVE-2026-20127 is the most severe of the two vulnerabilities and carries a CVSS score of 10.0 — the maximum possible rating. A perfect 10 CVSS score means the vulnerability is remotely exploitable, requires no authentication, has no complexity barrier, and results in full system compromise. There is no softer way to describe it.
This vulnerability affects Cisco Catalyst SD-WAN systems and allows a threat actor to gain complete control over the targeted device without needing any credentials or prior access to the system. Once exploited, an attacker operating on a device with root-level access can pivot laterally, intercept traffic, alter routing configurations, or establish persistent backdoors that survive reboots and standard remediation attempts.
The reason this carries such weight operationally is that SD-WAN controllers and edge devices often have visibility across the entire network fabric. Root access to one of these systems is functionally equivalent to owning the network.
CVE-2026-20127 at a Glance
CVSS Score: 10.0 (Critical)
Attack Vector: Network (Remote)
Authentication Required: None
Complexity: Low
Impact: Full system compromise, root-level access
Affected Systems: Cisco Catalyst SD-WAN
CVE-2022-20775: The Second Vulnerability Federal Agencies Must Patch
CVE-2022-20775 is the second vulnerability named in Emergency Directive 26-03. While it carries a different severity profile than CVE-2026-20127, its active exploitation in combination with the first vulnerability makes it equally urgent from a patching standpoint. Both must be addressed — treating them as separate, independent issues misses the compounding risk they create when used together by a sophisticated threat actor.
Why Cisco SD-WAN Access Gives Attackers Broad Network Control
Cisco Catalyst SD-WAN systems manage traffic routing, policy enforcement, and network segmentation across wide-area networks. When an attacker gains access at the SD-WAN layer, they don’t just own one device — they gain the ability to observe, redirect, and manipulate traffic across every endpoint and site connected to that SD-WAN fabric. For federal agencies managing sensitive communications and inter-agency data flows, that level of access represents a catastrophic intelligence and operational exposure.
The CISA Emergency Directive 26-03 Deadlines
CISA structured Emergency Directive 26-03 around a series of escalating deadlines that compress the normal remediation window dramatically. These are not suggested timelines — they are mandatory compliance milestones for all FCEB agencies, and failure to meet them requires immediate escalation to agency leadership and reporting back to CISA.
The directive is broken into three distinct phases: initial inventory and forensic collection, patch application, and final remediation reporting. Each phase builds on the last, and skipping ahead without completing prior steps undermines the integrity of the entire response.
What makes this directive particularly demanding is the forensic collection requirement. Agencies aren’t just being asked to patch and move on — they’re being asked to preserve evidence of potential compromise before applying fixes, which requires a coordinated effort between security operations, network engineering, and agency leadership simultaneously.
- Phase 1: Inventory all Cisco SD-WAN systems and submit to CISA
- Phase 1: Configure external log storage and collect forensic artifacts
- Phase 2: Apply all vendor security patches by the Friday 5PM ET deadline
- Phase 3: Complete final remediation and report status to CISA by March 23, 2026
Thursday Deadline: Inventory Submission and Log Collection
The first hard deadline required agencies to identify every in-scope Cisco SD-WAN system within their environment and submit a complete inventory to CISA. Alongside this, agencies were required to reconfigure their devices to store logs externally — a critical step because local logs on a compromised device can be altered or deleted by an attacker — and collect forensic artifacts including virtual snapshots of the SD-WAN systems. For more insights on federal cyber defense strategies, you can read about the CISA program impact.
Friday 5PM ET Deadline: Patch Application Requirements
By Friday at 5PM Eastern Time, all FCEB agencies were required to apply Cisco’s official security updates addressing both CVE-2026-20127 and CVE-2022-20775 across every affected device identified in the inventory phase. Patches must be sourced directly from Cisco and applied according to Cisco’s official guidance — no workarounds or compensating controls satisfy this specific requirement.
March 23, 2026 Deadline: Final Remediation Reporting to CISA
The March 23, 2026 deadline represents the final compliance milestone under ED 26-03. By this date, agencies must have completed all required actions — including hardening steps outlined in CISA’s Supplemental Direction — and submitted a full status report to CISA confirming remediation across their entire Cisco SD-WAN footprint.
What Agencies Must Do Step by Step
The directive lays out a clear sequence of required actions, and the order matters. Jumping straight to patching without first collecting forensic artifacts means potentially destroying evidence of an active compromise that CISA and partner agencies need for threat intelligence and incident response purposes.
Every action in the directive serves a dual purpose: closing the vulnerability window while simultaneously building the forensic picture needed to understand whether exploitation has already occurred. These two goals must be pursued in parallel, not sequentially.
1. Identify All Affected Cisco Catalyst SD-WAN Devices
Start by building a complete, accurate inventory of every Cisco Catalyst SD-WAN device operating within your environment. This means vManage controllers, vBond orchestrators, vSmart controllers, and all SD-WAN edge routers — any component that is part of the Cisco Catalyst SD-WAN fabric is in scope. Do not assume you already have a complete picture; shadow IT, legacy deployments, and decentralized procurement mean most large agencies will find devices they didn’t know were running. For example, vulnerabilities in network devices like SonicWall and Palo Alto can expose networks to significant security risks.
2. Configure External Log Storage and Collect Forensic Artifacts
Before touching a single patch, configure all identified SD-WAN devices to forward logs to an external, tamper-resistant storage location. An attacker with root access to a device can modify or delete local logs — which is exactly why CISA mandated external log storage as a prerequisite step, not an afterthought. Once external logging is confirmed active, collect virtual snapshots and memory artifacts from each device. These forensic artifacts preserve the pre-patch state of the system, which is essential for determining whether exploitation occurred prior to remediation.
3. Apply Cisco’s Official Security Patches
Once forensic artifacts are secured, apply Cisco’s official security updates addressing CVE-2026-20127 and CVE-2022-20775 to every device in your inventory. Patches must come directly from Cisco’s official software repository — not third-party sources, not cached versions of uncertain age. Verify the integrity of each update package using Cisco’s published checksums before deployment.
Patch deployment should follow a tested sequence: controllers first, then edge devices. Applying patches to edge routers before updating the vManage controller can create version mismatches that disrupt SD-WAN fabric connectivity. Cisco’s release notes for each affected version include specific upgrade path guidance that must be followed precisely to avoid compounding the disruption with an unplanned outage.
4. Scan Networks for Active Compromise
Patching closes the door, but it does not evict an attacker who is already inside. After patches are applied, agencies must conduct active threat hunting across their environments using the indicators of compromise and detection signatures published in CISA’s Supplemental Direction ED 26-03. This includes scanning for unauthorized accounts, unexpected outbound connections from SD-WAN infrastructure, anomalous routing table modifications, and any persistence mechanisms that may have been installed prior to patching. Do not treat a clean patch deployment as confirmation that no compromise occurred — treat them as entirely separate questions that require separate answers.
5. Harden Cisco SD-WAN Devices Using CISA Guidance
The final mandatory step goes beyond patching. CISA’s Supplemental Direction ED 26-03 includes specific hardening guidance for Cisco SD-WAN systems that agencies must implement to reduce attack surface going forward. This covers access control configurations, management plane restrictions, authentication hardening, and logging requirements that should have been in place before this incident — and must be locked in now. Agencies that implement these hardening measures are significantly more resistant to future exploitation attempts targeting the same infrastructure class.
Who Is Behind the Active Exploitation
CISA and the NSA, alongside partner agencies, publicly attributed the exploitation activity to a threat actor tracked as UAT-8616. This is a sophisticated, likely nation-state-affiliated group that has been conducting a coordinated global campaign targeting Cisco SD-WAN infrastructure. The level of technical sophistication demonstrated — exploiting a CVSS 10.0 vulnerability with precision, maintaining persistence, and operating across multiple federal targets — is consistent with a well-resourced adversary with specific intelligence collection objectives.
What makes UAT-8616 particularly dangerous is not just the vulnerability they exploited, but how they operated after gaining access. Based on Cisco Talos Intelligence findings, the group demonstrated a clear understanding of SD-WAN architecture internals, meaning they knew exactly which components to target to maximize their visibility into network traffic while minimizing the chance of detection. This is not opportunistic scanning — it is a deliberate, informed campaign against specific high-value infrastructure.
International Agencies Supporting the Response
The response to the Cisco SD-WAN exploitation campaign is not limited to US agencies. CISA coordinated the public alert and guidance release with international cybersecurity partners, reinforcing that this threat extends beyond US federal networks. The involvement of multiple national cybersecurity agencies signals that UAT-8616’s targeting extends across allied nations running similar Cisco SD-WAN infrastructure, and that the hardening and detection guidance published under ED 26-03 is directly applicable to non-US government and private sector organizations operating the same systems worldwide.
How to Harden Cisco SD-WAN Systems Against Future Attacks
Patching the two CVEs named in ED 26-03 is the floor, not the ceiling, of what needs to happen to secure Cisco SD-WAN infrastructure. The hardening steps outlined in CISA’s supplemental guidance address the broader attack surface that made these systems exploitable in the first place — and implementing them now dramatically reduces the risk of the next vulnerability becoming another emergency directive.
Cisco’s Catalyst SD-WAN Hardening Guide: Key Recommendations
Cisco’s official hardening guidance for Catalyst SD-WAN systems focuses on reducing the management plane attack surface, enforcing strong authentication, and ensuring comprehensive visibility through logging. The management plane — the interface through which administrators configure and monitor SD-WAN devices — is the most common entry point for attackers because it is both powerful and, in many deployments, insufficiently protected.
Strong authentication is non-negotiable at this point. Any Cisco SD-WAN deployment still relying on default credentials, single-factor authentication for vManage access, or broad administrative access without role-based controls is operating with a fundamentally indefensible configuration. These are not advanced hardening steps — they are baseline security hygiene that should have been implemented at deployment.
- Restrict management plane access to dedicated, out-of-band management networks with explicit IP allowlisting
- Enforce multi-factor authentication on all vManage, vBond, and vSmart controller access without exception
- Disable unused services and interfaces on all SD-WAN edge devices to reduce the exposed attack surface
- Implement role-based access control (RBAC) so administrative privileges are scoped to the minimum required for each user function
- Enable comprehensive syslog forwarding to an external SIEM platform with tamper-evident storage
- Rotate all credentials on SD-WAN infrastructure immediately, including service accounts and API keys
- Validate software integrity using Cisco’s Software Integrity Verification tools after every patch cycle
These controls work together as a layered defense. Restricting management access limits who can reach the attack surface; strong authentication limits who can authenticate even if they reach it; RBAC limits what damage an authenticated attacker can do; and comprehensive logging ensures that any anomalous activity is captured and visible to defenders regardless of how access was gained. To further enhance security measures, organizations can consider harnessing the potential of penetration testing tools to identify vulnerabilities proactively.
Cisco Talos Intelligence Findings on UAT-8616 Activity
Cisco Talos Intelligence provided detailed technical findings on UAT-8616’s tactics, techniques, and procedures (TTPs) that are directly relevant to defenders hunting for signs of compromise in their SD-WAN environments. Talos researchers identified that UAT-8616 demonstrated deep familiarity with Cisco SD-WAN’s internal architecture, using their access to target specific data flows rather than conducting broad, noisy network sweeps that would trigger standard anomaly detection. For more insights on proactive threat detection, explore the evolution of threat hunting tools in cyber defense.
The persistence mechanisms observed by Talos are particularly concerning because they were designed to survive standard remediation steps — including some patch deployments that don’t fully wipe device state. Agencies that patched without first confirming the absence of these persistence mechanisms may have closed the initial entry point while leaving an established attacker presence intact.
- UAT-8616 targeted vManage controllers as the primary initial access vector due to their centralized management authority over the entire SD-WAN fabric
- The group established persistent access using implants designed to survive device reboots and standard software updates
- Lateral movement from compromised SD-WAN controllers to connected network segments was observed in multiple confirmed intrusions
- Traffic interception capabilities were deployed on compromised edge devices, allowing passive collection of data transiting the SD-WAN fabric
- Talos identified specific indicators of compromise (IOCs) published in coordination with the CISA advisory that defenders should use for active threat hunting
If any of these TTPs match activity observed in your environment — even partially — treat it as a confirmed compromise requiring full incident response, not just accelerated patching. A partial match is not reassurance; it is a signal that a thorough investigation is needed immediately.
What Happens If Agencies Find Evidence of Compromise
Finding evidence of compromise during the remediation process changes everything. The response shifts immediately from a patching exercise to a full incident response operation, and the steps required become significantly more intensive, more resource-demanding, and more consequential for the agency’s ongoing operations.
The critical mistake agencies make at this stage is continuing to treat a confirmed or suspected compromise as primarily a technical problem to be solved quietly by the network team. It is not. Once compromise indicators are confirmed, agency leadership must be notified, CISA must be contacted, and the incident response process must be activated — regardless of how inconvenient the timing or how uncertain the initial evidence appears.
Immediate Actions Upon Discovering Evidence of Compromise
Step 1 — Preserve: Do not alter, delete, or patch over any system showing signs of compromise before forensic imaging is complete.
Step 2 — Isolate: Segment the compromised SD-WAN components from the broader network fabric to prevent further lateral movement while maintaining visibility.
Step 3 — Notify: Report the intrusion to CISA immediately — this is mandatory under Emergency Directive 26-03, not optional.
Step 4 — Engage: Activate your agency’s incident response plan and, where needed, request CISA’s incident response assistance.
Step 5 — Hunt: Extend threat hunting beyond SD-WAN infrastructure to all network segments the compromised devices had visibility into or routing authority over.
The forensic artifacts collected in the early phases of ED 26-03 compliance — the virtual snapshots, external logs, and memory captures — become the foundation of your incident response at this stage. Agencies that skipped or rushed through the forensic collection phase will find themselves trying to reconstruct attacker activity from incomplete evidence, which significantly hampers the ability to determine the full scope of what was accessed or exfiltrated. For a deeper understanding of effective threat hunting tools, consider exploring this dive into effective threat hunting tools.
Rebuilding Infrastructure After Confirmed Root Access
If forensic analysis confirms that UAT-8616 or any other threat actor achieved root-level access to Cisco SD-WAN infrastructure, the remediation bar rises substantially above patching. Root access means the attacker had the ability to modify firmware, install persistent implants below the operating system level, alter cryptographic keys, and tamper with device configurations in ways that standard patch deployments do not address or detect. For further insights into how organizations can harness advanced tools to safeguard their infrastructure, read more about penetration testing tools.
In practice, confirmed root access to SD-WAN infrastructure means the affected devices cannot be trusted after patching alone. The only path to a verified clean state is a complete rebuild: factory reset of all affected devices, fresh installation of validated Cisco software obtained directly from Cisco’s secure download portal with integrity verification, and complete reconfiguration from a known-good baseline — not from configuration backups that may themselves contain attacker-modified settings.
This is operationally painful, particularly for agencies where SD-WAN infrastructure underpins critical communication links. But operating on infrastructure with confirmed prior root access — even after patching — means operating on a foundation you cannot verify. The risk of persistent attacker presence outweighs the operational disruption of a complete rebuild, which is why CISA’s guidance treats confirmed root access as a trigger for infrastructure replacement rather than remediation.
Mandatory Intrusion Reporting to CISA
Emergency Directive 26-03 is explicit: any agency that discovers evidence of intrusion through the forensic collection and threat hunting process must report that intrusion to CISA immediately. This is not a courtesy notification — it is a mandatory compliance requirement under the directive, and it serves the broader purpose of enabling CISA to build an accurate picture of the campaign’s scope, refine detection guidance, and deploy response resources to agencies that need them. Agencies that identify compromise and delay reporting compound both the risk to their own networks and the risk to every other agency that could benefit from faster, more complete threat intelligence.
Non-Federal Organizations Face the Same Threat
Emergency Directive 26-03 legally applies only to Federal Civilian Executive Branch agencies — but CISA, the NSA, and their international partners were unambiguous in their public guidance: non-federal organizations running Cisco Catalyst SD-WAN systems face the same threat from the same threat actor and should treat the directive’s required actions as a direct, urgent recommendation for their own environments. UAT-8616 is not limiting its targeting to federal networks. Any organization operating Cisco Catalyst SD-WAN infrastructure — state and local governments, critical infrastructure operators, financial institutions, healthcare networks, and private sector enterprises — should apply the same patches, conduct the same forensic collection, implement the same hardening measures, and perform the same threat hunting detailed in ED 26-03 and its supplemental guidance. The vulnerabilities do not care whether you are a federal agency or a private company.
Frequently Asked Questions
The following questions address the most common points of confusion around CISA Emergency Directive 26-03, the Cisco SD-WAN vulnerabilities, and the required response actions for both federal and non-federal organizations.
What is CISA Emergency Directive 26-03?
CISA Emergency Directive 26-03, formally titled “Mitigate Vulnerabilities in Cisco SD-WAN Systems,” is a mandatory directive issued by the Cybersecurity and Infrastructure Security Agency on February 25, 2026, ordering all Federal Civilian Executive Branch agencies to immediately address actively exploited critical vulnerabilities in Cisco Catalyst SD-WAN infrastructure.
The directive was triggered by confirmed active exploitation of these vulnerabilities by the threat actor UAT-8616 against federal networks, with CISA determining that the vulnerabilities posed an “unacceptable risk” to FCEB agencies — the legal threshold required to invoke emergency directive authority. It establishes a series of mandatory deadlines for inventory, forensic collection, patching, hardening, and final reporting to CISA.
Which Cisco devices are affected by the SD-WAN vulnerabilities?
The affected devices are components of the Cisco Catalyst SD-WAN architecture. This includes Cisco vManage controllers, vBond orchestrators, vSmart controllers, and Cisco Catalyst SD-WAN edge routers operating within the SD-WAN fabric.
Agencies and organizations should not assume that only devices they actively monitor are in scope. Any device that is part of a Cisco Catalyst SD-WAN deployment — including older devices, backup controllers, or edge devices at remote sites that receive less regular administrative attention — must be included in the inventory and remediation process. For more on how to proactively manage such deployments, explore the evolution of threat hunting tools in cyber defense.
Cisco’s official security advisories for CVE-2026-20127 and CVE-2022-20775 contain the complete list of affected software versions and hardware platforms, and agencies should cross-reference their device inventory directly against those advisories rather than relying on generalized descriptions of affected systems.
What is CVE-2026-20127 and why is it rated a perfect 10?
CVE-2026-20127 is a critical vulnerability in Cisco Catalyst SD-WAN systems that carries a CVSS score of 10.0 — the maximum severity rating in the Common Vulnerability Scoring System. A score of 10.0 is assigned when a vulnerability is remotely exploitable over a network connection, requires no authentication or user interaction, has low attack complexity, and results in complete compromise of confidentiality, integrity, and availability of the affected system.
In practical terms, CVE-2026-20127 means an unauthenticated remote attacker can gain root-level access to affected Cisco Catalyst SD-WAN devices without needing any credentials, any special tools, or any assistance from an insider. That combination of factors — remote, unauthenticated, low complexity, full impact — is precisely why CVSS reserves a score of 10.0 for vulnerabilities like this one, and why CISA treated it as the trigger for an emergency directive rather than a standard patch advisory.
Do private sector organizations need to comply with CISA Emergency Directive 26-03?
Legally, Emergency Directive 26-03 applies exclusively to Federal Civilian Executive Branch agencies and does not carry mandatory compliance authority over private sector, state, local, tribal, or territorial governments, or non-US organizations. However, CISA, the NSA, and their international cybersecurity partners explicitly and strongly urged all organizations operating Cisco Catalyst SD-WAN infrastructure to apply the same mitigations immediately, regardless of their sector or jurisdiction. The threat actor UAT-8616 is conducting a global campaign, and the vulnerabilities being exploited exist in the same Cisco software regardless of who owns the hardware running it.
Where can agencies find Cisco’s official patches for the SD-WAN vulnerabilities?
Cisco’s official security patches for CVE-2026-20127 and CVE-2022-20775 are available through Cisco’s Software Download Center, accessible to organizations with active Cisco service contracts and Smart Licensing entitlements. Security advisories published by Cisco’s Product Security Incident Response Team (PSIRT) for each CVE contain direct links to the applicable software releases, along with fixed version tables that map each affected version to its corresponding patched release.
Before downloading any patch, verify that the source is Cisco’s official platform — not a mirror, third-party repository, or cached version of uncertain provenance. After downloading, use Cisco’s published SHA-512 checksums to verify the integrity of the update package before deployment. This step is not optional: an attacker who anticipated aggressive patching activity could theoretically position malicious software update packages in locations where rushed administrators might retrieve them.
Agencies without active Cisco service contracts that are having difficulty accessing patches should contact CISA directly for assistance coordinating access to the required software updates. CISA has established support pathways specifically for situations where compliance with emergency directives is blocked by licensing or access barriers, and no agency should allow a procurement or licensing issue to delay patching when actively exploited critical vulnerabilities are involved.