---
title: "CISA Warns of Two Actively Exploited Cisco SD-WAN Vulnerabilities"
short_title: "CISA adds two critical Cisco SD-WAN flaws to KEV catalog"
description: "CISA has added two actively exploited Cisco SD-WAN vulnerabilities to its KEV catalog. Federal agencies must patch now; all organizations urged to prioritize remediation."
author: "Vitus"
date: 2024-10-15
categories: [Cybersecurity, Vulnerabilities]
tags: [cisa, cve-2022-20775, cve-2026-20127, sd-wan, cybersecurity]
score: 0.85
cve_ids: [CVE-2022-20775, CVE-2026-20127]
---
TL;DR
CISA has added two critical Cisco SD-WAN vulnerabilities—CVE-2022-20775 (path traversal) and CVE-2026-20127 (authentication bypass)—to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Federal agencies must remediate these flaws by the specified deadlines, while all organizations are urged to prioritize patching to mitigate risks.
---
Main Content
The Cybersecurity and Infrastructure Security Agency (CISA) has escalated its response to two severe vulnerabilities in Cisco’s SD-WAN solutions, adding them to its Known Exploited Vulnerabilities (KEV) Catalog. These vulnerabilities, which are being actively exploited in the wild, pose significant risks to federal networks and enterprises worldwide. Immediate action is required to prevent potential breaches and lateral movement by malicious actors.
Key Points
- CVE-2022-20775: A path traversal vulnerability in Cisco Catalyst SD-WAN, allowing unauthorized access to sensitive files.
- CVE-2026-20127: An authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, enabling attackers to gain unauthorized control.
- Binding Operational Directive (BOD) 22-01 mandates federal agencies to remediate these vulnerabilities by the specified deadlines.
- While BOD 22-01 applies only to Federal Civilian Executive Branch (FCEB) agencies, CISA strongly recommends all organizations prioritize patching these flaws.
---
Technical Details
#### CVE-2022-20775: Cisco Catalyst SD-WAN Path Traversal Vulnerability
This vulnerability arises from improper validation of user-supplied input in Cisco’s SD-WAN software. Attackers can exploit this flaw to perform path traversal attacks, gaining unauthorized access to sensitive files on the affected system. Successful exploitation could lead to information disclosure or further compromise of the network.
#### CVE-2026-20127: Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass
This critical flaw allows attackers to bypass authentication mechanisms in Cisco’s SD-WAN Controller and Manager. By exploiting this vulnerability, malicious actors can gain unauthorized administrative access, potentially leading to full system compromise, data exfiltration, or deployment of additional malicious payloads.
---
Impact Assessment
These vulnerabilities are frequent attack vectors for cybercriminals and nation-state actors, particularly due to the widespread adoption of SD-WAN solutions in enterprise and government networks. The risks include:
- Unauthorized access to sensitive data and network resources.
- Lateral movement within compromised networks, leading to broader breaches.
- Disruption of critical services reliant on SD-WAN infrastructure.
- Compliance violations for federal agencies failing to adhere to BOD 22-01.
Given the active exploitation of these flaws, organizations must treat their remediation as a top priority.
---
Mitigation Steps
1. Patch Immediately: Apply the latest security updates provided by Cisco to mitigate both vulnerabilities.
2. Monitor for Exploitation: Deploy intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions to identify potential exploitation attempts.
3. Restrict Access: Limit access to SD-WAN controllers and managers to authorized personnel only, using network segmentation and least-privilege principles.
4. Review Logs: Audit system logs for signs of unauthorized access or suspicious activity.
5. Follow CISA Guidelines: Refer to CISA’s [KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) and [BOD 22-01 Fact Sheet](https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf) for additional guidance.
---
Conclusion
The addition of CVE-2022-20775 and CVE-2026-20127 to CISA’s KEV Catalog underscores the urgent need for organizations to address these actively exploited vulnerabilities. Federal agencies must comply with BOD 22-01 remediation deadlines, while private sector entities should prioritize patching to reduce their exposure to cyberattacks. Proactive vulnerability management is critical to safeguarding networks against evolving threats.
---
References
[^1]: CISA. "[CISA Adds Two Known Exploited Vulnerabilities to Catalog](https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-adds-two-known-exploited-vulnerabilities-catalog)". Retrieved 2024-10-15.
[^2]: CVE Details. "[CVE-2022-20775](https://www.cve.org/CVERecord?id=CVE-2022-20775)". Retrieved 2024-10-15.
[^3]: CVE Details. "[CVE-2026-20127](https://www.cve.org/CVERecord?id=CVE-2026-20127)". Retrieved 2024-10-15.
[^4]: CISA. "[Binding Operational Directive 22-01](https://www.cisa.gov/binding-operational-directive-22-01)". Retrieved 2024-10-15.