CISA alerts exploitation of Cisco Catalyst SD-WAN vulnerability

The Cybersecurity and Infrastructure Security Agency has released a new emergency directive warning of the active exploitation of flaws in the Cisco Catalyst SD-WAN systems prevalent in federal networks, particularly the maximum severity authentication bypass vulnerability, tracked as CVE-2026-20127, reports Infosecurity Magazine.

With the abuse of CVE-2026-20127 threatening administrative control over SD-WAN infrastructure, federal agencies have been ordered to locate all impacted systems, configure devices to store logs externally and gather forensic evidence, investigate for signs of compromise, and rebuild systems if root access is detected. They are also required to install vendor-provided security updates and submit updates on remediation and logging by multiple deadlines through Mar. 23, 2026.

"The requests for artifact collection and submission make it clear they're working to identify the scope of the threat," said ProCircular's Director of Offensive Operations Bobby Kuzma. Kuzma added that even civilian organizations and contractors with Cisco SD-WAN systems should check patches and review logs.