- CISA has issued an emergency directive ordering federal agencies to patch critical vulnerabilities in Cisco Catalyst SD-WAN Manager and Controller devices by 5 p.m. ET on Friday, February 27, 2026.
- The authentication-bypass flaw affecting Cisco Catalyst SD-WAN Controller is already being actively exploited by a known threat actor — this is not a theoretical risk.
- Six total vulnerabilities are involved, including five additional flaws in Cisco Catalyst SD-WAN Manager discovered during the investigation of the primary Controller flaw.
- This threat extends beyond federal networks — private businesses running Cisco SD-WAN systems are equally at risk, and a five-nation advisory has urged global action.
- Keep reading to understand exactly what the directive requires, which devices are affected, and what steps non-federal organizations should take right now.
A critical Cisco vulnerability is being actively exploited right now — and federal agencies have days, not weeks, to respond.
The Cybersecurity and Infrastructure Security Agency issued an emergency directive on February 25, 2026, targeting vulnerabilities in Cisco Catalyst SD-WAN systems. The directive gives federal civilian agencies an extremely tight window to act. The National Security Agency has co-signed the alert, and cyber agencies from Australia, Canada, New Zealand, and the United Kingdom have added their voices — a rare five-nation coordination that signals just how serious this threat is.
Federal Agencies Have Until Sunday to Patch a Critical Cisco Flaw
CISA’s Emergency Directive 26-03 lays out a multi-step response plan with hard deadlines. Federal agencies were required to identify all covered Cisco devices, report them to CISA, and begin collecting log data by the end of Thursday, February 26. The patch deadline is 5 p.m. Eastern Time on Friday, February 27. A final hardening report is due to CISA by March 12, 2026.
What Is the Cisco SD-WAN Flaw and Why Is It Max-Severity?
Cisco Catalyst SD-WAN is a widely deployed enterprise networking solution used to manage wide-area networks across distributed locations — including federal government infrastructure. The system relies on two core components: the Cisco Catalyst SD-WAN Controller, which manages traffic routing and policy, and the Cisco Catalyst SD-WAN Manager, which provides centralized visibility and configuration control. Both are now confirmed vulnerable.
The primary flaw is an authentication-bypass vulnerability in the Cisco Catalyst SD-WAN Controller. According to Cisco’s own advisory, this flaw “could allow an unauthenticated, remote attacker to bypass authentication” on affected systems. In plain terms — an attacker doesn’t need credentials. They can walk straight in.
The Two Vulnerabilities Affecting Cisco Catalyst SD-WAN Devices
There are two distinct vulnerability advisories at the center of this directive. The first covers the authentication-bypass flaw in the Cisco Catalyst SD-WAN Controller (tracked under Cisco Security Advisory cisco-sa-sdwan-authbp-qwCX8D4v). The second addresses a separate but related vulnerability in the Cisco Catalyst SD-WAN Manager (tracked under cisco-sa-sdwan-rpa-EHchtZk). While investigating the Controller flaw, Cisco’s team uncovered five additional vulnerabilities in the SD-WAN Manager — bringing the total number of patched flaws to six across these two devices.
Why “Max-Severity” Is Not an Exaggeration Here
The authentication-bypass designation alone puts this in a critical category. But the real danger is in how these vulnerabilities chain together. An attacker who bypasses authentication on the Controller gains a foothold that can be used to pivot through the SD-WAN Manager, potentially compromising the entire network management layer. CISA explicitly described the exploitation activity as “an imminent threat to federal networks.”
CISA’s official language from Emergency Directive 26-03: CISA is “aware of a cyber threat actor’s ongoing exploitation” of vulnerabilities in Cisco Catalyst SD-WAN Manager and Catalyst SD-WAN Controller devices, calling the activity “an imminent threat to federal networks.”
Which Cisco Devices Are Affected
The two products directly named in both CISA’s directive and Cisco’s advisories are the Cisco Catalyst SD-WAN Controller and the Cisco Catalyst SD-WAN Manager. Any federal agency — or private organization — running these devices should treat them as compromised until patched and verified clean. CISA has not published a version-specific exclusion list, meaning all deployments of these systems should be evaluated immediately.
What CISA’s Emergency Directive Actually Requires
The directive isn’t just a patch notice — it’s a structured incident response protocol with five distinct phases and specific deadlines attached to each. Federal agencies must move through each step in sequence, and CISA will report compliance results to senior government officials by May 1, 2026.
Step 1: Identify All Covered Cisco Devices and Report to CISA by Thursday
The first requirement was to build a complete inventory of all Cisco Catalyst SD-WAN Controller and Manager devices across agency networks and submit that inventory to CISA by the end of Thursday, February 26. This step is foundational — you cannot patch or harden what you haven’t identified. Agencies were also required to ensure all SD-WAN systems were configured to store logs externally before this deadline passed.
Step 2: Collect Log Data From Affected Devices by Thursday
Alongside the inventory requirement, agencies were directed to collect forensic artifacts and log data from all identified Cisco SD-WAN devices by the end of Thursday, February 26. This step exists for a critical reason — active exploitation was already underway when the directive was issued, meaning some agency devices may have been compromised before patching even began. Logs collected before patching preserve the forensic evidence needed to determine whether a breach occurred.
Step 3: Apply Cisco’s Patches Before 5 p.m. ET on Friday, February 27
The core patching deadline is 5 p.m. Eastern Time on Friday, February 27, 2026. Agencies must apply Cisco’s official patches addressing both the authentication-bypass flaw in the Catalyst SD-WAN Controller and the five additional vulnerabilities in the Catalyst SD-WAN Manager. Cisco has published patches under two separate advisories — cisco-sa-sdwan-authbp-qwCX8D4v for the Controller and cisco-sa-sdwan-rpa-EHchtZk for the Manager — and both must be applied to consider the remediation complete.
Step 4: Scan Networks for Signs of Compromise After Patching
Patching closes the door, but it doesn’t tell you who already walked through it. CISA requires agencies to conduct a thorough analysis of their networks for indicators of compromise after applying the patches. This includes reviewing the log data collected in Step 2 against known threat actor behaviors associated with this campaign.
If any intrusion is detected during this analysis, agencies are required to report it directly to CISA immediately. This reporting requirement isn’t optional — it’s a mandatory step embedded in the directive itself. The goal is to give CISA a full picture of how far the threat actor may have penetrated federal infrastructure.
Agencies that find no evidence of compromise still cannot skip this step. A clean scan result must be documented and retained as part of the agency’s compliance record for this directive.
Step 5: Harden Cisco SD-WAN Devices Using CISA’s Published Guidance
After patching and scanning, agencies must apply hardening configurations to their Cisco SD-WAN systems using the specific guidance CISA published alongside the emergency directive. This hardening guidance addresses configuration weaknesses that go beyond the patched vulnerabilities — closing additional attack surface that threat actors could use even after the known flaws are remediated.
A final report on all hardening actions taken must be submitted to CISA by March 12, 2026. CISA has made clear it will compile these results and brief senior government officials on agency compliance levels by May 1, 2026 — making this a highly visible accountability measure at the leadership level.
Active Exploitation Is Already Happening
This directive was not issued as a precaution. CISA explicitly stated it is aware of a threat actor’s ongoing exploitation of the Cisco Catalyst SD-WAN vulnerabilities at the time the directive was published. That single word — ongoing — changes everything about how agencies and organizations need to respond.
Active exploitation means the window for a clean, unaffected patch is already closed for some organizations. Any device that was internet-accessible and running vulnerable firmware before the patches were applied should be treated as potentially compromised. This is not a worst-case assumption — it is CISA’s stated operating posture for this incident.
The scale of potential impact is significant. Cisco Catalyst SD-WAN systems are deployed across thousands of enterprise and government networks globally. The SD-WAN Manager and Controller sit at the center of network operations — compromising them gives an attacker visibility into traffic flows, configuration data, routing policy, and potentially lateral movement pathways across the entire network.
- Authentication bypass on the Controller — No credentials required for initial access
- Five additional Manager vulnerabilities — Discovered during investigation, now patched but previously unknown
- Centralized network management access — A compromised Controller or Manager exposes the full SD-WAN fabric
- Log exfiltration risk — Attackers with management-plane access can tamper with or delete logs
- Lateral movement potential — SD-WAN management access can be used to pivot deeper into agency networks
What Forensic Analysis Revealed About the Threat Actor
CISA’s public alert about the exploitation activity, co-released with the NSA and cyber agencies from Australia, Canada, New Zealand, and the United Kingdom, points to a sophisticated threat actor conducting a deliberate, targeted campaign — not opportunistic scanning. The coordination required to produce a five-nation joint advisory within the same news cycle as the emergency directive suggests intelligence was being shared actively across allied governments before the public disclosure.
The requirement for agencies to store logs externally before the patching deadline is a direct forensic countermeasure. Threat actors with management-plane access to SD-WAN systems can modify or delete local logs, destroying evidence of their presence. External log storage preserves an unaltered record that can be used for post-incident analysis even if the device itself was tampered with.
CISA’s hardening guidance published alongside the directive includes specific configuration requirements that go beyond the patched CVEs. This indicates the agency has insight into the techniques the threat actor is using — and is building defenses against tactics that don’t rely solely on the disclosed vulnerabilities.
Key forensic actions required by CISA’s Emergency Directive 26-03:
Requirement Deadline Purpose Inventory all Cisco SD-WAN devices Feb 26, 2026 Establish scope of exposure Configure external log storage Feb 26, 2026 Preserve forensic evidence Collect forensic artifacts Feb 26, 2026 Detect prior compromise Apply Cisco patches Feb 27, 2026 (5 p.m. ET) Close known vulnerabilities Scan for compromise indicators Post-patch Identify breached systems Report intrusions to CISA Immediately upon discovery Coordinate federal response Submit hardening report March 12, 2026 Verify long-term resilience
The structured timeline above reflects a response framework designed for a threat that is already inside some networks — not one that is merely approaching the perimeter.
This Threat Goes Beyond Federal Agencies
CISA’s emergency directive legally applies only to federal civilian executive branch agencies — but the vulnerabilities themselves don’t discriminate. Cisco Catalyst SD-WAN systems are deployed in financial services, healthcare, critical infrastructure, and large enterprises worldwide. The same authentication-bypass flaw that threatens federal networks is present in every unpatched deployment globally.
Why Private Businesses Running Cisco SD-WAN Are Also at Risk
Private sector organizations running Cisco Catalyst SD-WAN Controller or Manager devices face identical technical exposure. The threat actor exploiting these vulnerabilities is not limiting activity to government targets — CISA’s joint advisory with four allied nations explicitly urged “businesses and other organizations not covered by the emergency directive” to patch their affected Cisco devices, analyze them for signs of compromise, and harden them against future intrusions.
For private organizations, there is no CISA-imposed deadline — but that absence of a mandate should not be mistaken for an absence of urgency. Any organization that has not applied Cisco’s patches under advisories cisco-sa-sdwan-authbp-qwCX8D4v and cisco-sa-sdwan-rpa-EHchtZk should treat this as an active incident response situation, not a routine patch cycle.
The Five-Nation Advisory Urging Global Action
Joint Advisory Participants — Cisco SD-WAN Exploitation Alert (February 25, 2026):
Country Agency United States CISA & National Security Agency (NSA) Australia Australian Signals Directorate (ASD) Canada Canadian Centre for Cyber Security (CCCS) New Zealand New Zealand National Cyber Security Centre (NCSC-NZ) United Kingdom National Cyber Security Centre (NCSC-UK)
Five allied nations releasing a coordinated advisory on the same day as an emergency directive is not routine. It signals that intelligence about this threat actor and their exploitation of Cisco SD-WAN systems was being shared across governments well before the public disclosure — and that the scope of the campaign extends across multiple countries, not just U.S. federal networks.
The joint advisory issued by these five agencies explicitly called on private businesses, critical infrastructure operators, and all organizations running Cisco Catalyst SD-WAN systems to take immediate action. The specific guidance mirrored CISA’s directive: patch the devices using Cisco’s official advisories, analyze systems for indicators of compromise, configure external log storage, and apply hardening configurations. This isn’t boilerplate advice — it’s a direct acknowledgment that the same threat actor targeting federal agencies is almost certainly targeting commercial networks running identical hardware.
The coordinated five-nation response also carries a deeper implication. When allied cyber agencies move together this quickly and publicly, it typically indicates that the threat actor has been identified with a high degree of confidence and that the exploitation campaign is broad enough to affect all five nations’ interests simultaneously. Organizations in any of these countries — and beyond — should treat this advisory as directly applicable to their own environments.
CISA Will Report Agency Compliance to Senior Government Officials by May 1
CISA’s Emergency Directive 26-03 includes an accountability mechanism that goes beyond the technical requirements. By May 1, 2026, CISA is required to report the compliance status of all federal civilian executive branch agencies to the Director of the Office of Management and Budget and to senior cybersecurity leadership across the government. This means non-compliant agencies will be visible at the highest levels of federal oversight — creating significant institutional pressure to meet every deadline in the directive.
The March 12 hardening report deadline feeds directly into this accountability timeline. Agencies that apply patches but fail to complete the hardening steps or submit their compliance documentation will appear incomplete in CISA’s May 1 briefing. The directive is structured so that partial compliance is treated with the same seriousness as no compliance — every step has a deadline, and every deadline is tracked.
For agency IT and security leadership, this directive creates a clear chain of accountability from the device level all the way to senior government officials. Missing the Friday patching deadline, failing to collect forensic logs before patching, or skipping the hardening report are not administrative oversights — they are documented compliance failures that will be reported up the chain. The message from CISA is unambiguous: treat every deadline in this directive as firm.
Frequently Asked Questions
Below are answers to the most common questions surrounding CISA’s Emergency Directive 26-03 and the Cisco Catalyst SD-WAN vulnerabilities.
What is Cisco Catalyst SD-WAN and why is it used by federal agencies?
Cisco Catalyst SD-WAN is a software-defined wide-area networking platform that allows organizations to manage, monitor, and secure network connections across multiple locations from a centralized system. Federal agencies use it because it simplifies the management of complex, distributed networks — connecting offices, data centers, and cloud environments through a single management layer. The Cisco Catalyst SD-WAN Controller handles traffic routing and policy enforcement, while the Cisco Catalyst SD-WAN Manager provides the centralized dashboard that administrators use to configure and monitor the entire network. That centralized control is precisely what makes these components high-value targets for attackers.
What happens if a federal agency misses the February 27 patching deadline?
Missing the deadline does not simply result in a written warning. CISA tracks compliance with emergency directives and reports non-compliant agencies to the Director of the Office of Management and Budget and senior cybersecurity officials by May 1, 2026. Agencies that miss the Friday, February 27 patching deadline while running known-vulnerable Cisco SD-WAN devices are also operating systems that CISA has explicitly designated as an imminent threat to federal networks — meaning continued operation of unpatched devices carries both a compliance risk and a live security risk simultaneously.
How do I know if my organization’s Cisco devices are affected by this vulnerability?
The two specific products named in CISA’s directive and Cisco’s advisories are the Cisco Catalyst SD-WAN Controller and the Cisco Catalyst SD-WAN Manager. If your organization is running either of these products, you should assume the devices are affected until you have verified the firmware version against Cisco’s patch advisories cisco-sa-sdwan-authbp-qwCX8D4v and cisco-sa-sdwan-rpa-EHchtZk.
Start by pulling a complete inventory of all SD-WAN infrastructure in your environment. Cross-reference each device’s current software version against the affected versions listed in Cisco’s official security advisories. Any device running a vulnerable version that is internet-accessible — or that has management interfaces exposed to untrusted networks — should be treated as a priority for immediate patching and forensic review.
Where can I find Cisco’s official patches for these SD-WAN vulnerabilities?
Cisco has published two separate security advisories addressing the vulnerabilities covered in CISA’s emergency directive. The authentication-bypass flaw affecting the Cisco Catalyst SD-WAN Controller is addressed under advisory cisco-sa-sdwan-authbp-qwCX8D4v. The vulnerabilities affecting the Cisco Catalyst SD-WAN Manager — including the five additional flaws discovered during the Controller investigation — are addressed under advisory cisco-sa-sdwan-rpa-EHchtZk. Both advisories are published on Cisco’s Security Advisory portal at sec.cloudapps.cisco.com.
Both advisories must be addressed — applying only one does not constitute a complete remediation. Organizations should also review CISA’s supplemental hardening guidance published alongside Emergency Directive 26-03, as it contains configuration requirements that go beyond the patch itself and directly address the techniques used in the active exploitation campaign.
Does this CISA emergency directive apply to state and local governments or only federal agencies?
CISA’s Emergency Directive 26-03 legally applies only to federal civilian executive branch agencies — it does not carry mandatory authority over state governments, local governments, tribal entities, or private sector organizations. However, the technical vulnerabilities it addresses exist in every unpatched Cisco Catalyst SD-WAN deployment worldwide, regardless of who owns the device.
CISA, the NSA, and cyber agencies from Australia, Canada, New Zealand, and the United Kingdom issued a separate public advisory on the same day specifically urging non-federal organizations — including state and local governments, businesses, and critical infrastructure operators — to take the same remediation steps as federal agencies. That advisory carries no legal mandate, but the urgency behind it is identical to the emergency directive itself.
State and local government IT teams running Cisco Catalyst SD-WAN systems should treat the joint advisory as directly applicable to their environments. The threat actor exploiting these vulnerabilities is not limiting their targeting to organizations under CISA’s direct authority. Any organization that delays action because the directive doesn’t technically apply to them is making a security decision based on a legal technicality rather than the actual threat landscape.
- Federal civilian agencies: Mandatory compliance with ED 26-03 deadlines — patches due by 5 p.m. ET, February 27
- State and local governments: No legal mandate, but strongly urged to patch and harden under the joint advisory
- Private businesses: No mandate, but the five-nation advisory explicitly calls for immediate patching and compromise analysis
- Critical infrastructure operators: Named in the joint advisory as a priority audience for the hardening guidance
- International organizations: Allied cyber agencies from four additional countries have issued parallel guidance applicable in their jurisdictions
The bottom line is simple: if your organization runs Cisco Catalyst SD-WAN Controller or Manager devices anywhere on your network, this situation applies to you — directive or not. The authentication-bypass vulnerability doesn’t check whether your organization falls under CISA’s authority before allowing an attacker through.
Staying ahead of threats like this one requires continuous monitoring, rapid patch management processes, and an incident response plan that can activate within hours — not weeks. Organizations looking to strengthen their overall cybersecurity posture can explore resources and expert guidance to build more resilient defenses against exactly these kinds of rapidly evolving, nation-level threats.