Critical Cisco SD-WAN Vulnerabilities Exploited Globally—Patch Now

---
title: "Critical Cisco SD-WAN Vulnerabilities Exploited Globally—Patch Now"
short_title: "Cisco SD-WAN under active attack—update immediately"
description: "CISA and global partners warn of active exploitation of Cisco SD-WAN vulnerabilities CVE-2026-20127 and CVE-2022-20775. Learn how to mitigate risks and secure systems."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [cisco sd-wan, cve-2026-20127, cve-2022-20775, threat intelligence, cisa]
score: 0.95
cve_ids: [CVE-2026-20127, CVE-2022-20775]
---

TL;DR

CISA and global cybersecurity agencies have issued an urgent alert about active exploitation of two critical Cisco SD-WAN vulnerabilities, CVE-2026-20127 and CVE-2022-20775. Attackers are leveraging these flaws to gain initial access, escalate privileges, and maintain persistence in compromised systems. Organizations using Cisco SD-WAN are urged to inventory systems, apply patches, and hunt for signs of compromise immediately.

---

Main Content

Global Exploitation of Cisco SD-WAN Vulnerabilities Triggers Emergency Response

The Cybersecurity and Infrastructure Security Agency (CISA) and its international partners have raised the alarm over a surge in malicious cyber activity targeting Cisco SD-WAN systems worldwide. In response, CISA has added CVE-2026-20127 (a previously undisclosed authentication bypass vulnerability) and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) Catalog. This move underscores the severity of the threat and the need for immediate action.

Federal Civilian Executive Branch (FCEB) agencies are now required to inventory, update, and assess their Cisco SD-WAN systems under Emergency Directive (ED) 26-03. The directive provides a clear roadmap for mitigating risks and hardening defenses against ongoing attacks.

---

Key Points

- Active Exploitation: Threat actors are exploiting CVE-2026-20127 for initial access and CVE-2022-20775 for privilege escalation in Cisco SD-WAN systems.
- Global Impact: Organizations worldwide, including government agencies, are affected by these vulnerabilities.
- Emergency Directive: CISA’s ED 26-03 mandates FCEB agencies to inventory, patch, and hunt for compromise in Cisco SD-WAN systems.
- Hardening Guidance: Cisco has released a hardening guide to help organizations secure their SD-WAN deployments.
- Collaborative Effort: The alert was jointly issued by CISA, NSA, ASD’s ACSC, Cyber Centre, NCSC-NZ, and NCSC-UK.

---

Technical Details

#### Vulnerabilities Overview
1. CVE-2026-20127
- Type: Authentication Bypass
- Impact: Allows unauthenticated attackers to gain initial access to Cisco SD-WAN systems.
- Exploitation: Threat actors use this flaw to bypass authentication mechanisms and infiltrate target networks.

2. CVE-2022-20775
- Type: Privilege Escalation
- Impact: Enables attackers to escalate privileges and maintain persistence within compromised systems.
- Exploitation: Often chained with CVE-2026-20127 to achieve full control over affected systems.

#### Attack Vector
Threat actors are targeting unpatched Cisco SD-WAN systems to:
- Gain initial access via CVE-2026-20127.
- Escalate privileges using CVE-2022-20775.
- Establish long-term persistence for data exfiltration or further attacks.

---

Impact Assessment

The exploitation of these vulnerabilities poses severe risks to organizations, including:
- Unauthorized Access: Attackers can infiltrate networks, steal sensitive data, and disrupt operations.
- Lateral Movement: Compromised SD-WAN systems can serve as a gateway for further attacks on internal networks.
- Regulatory Consequences: Failure to mitigate these risks may result in compliance violations, particularly for government agencies and critical infrastructure providers.
- Reputational Damage: Organizations facing breaches may suffer loss of trust among customers and partners.

---

Mitigation Steps

CISA and its partners recommend the following immediate actions to mitigate risks:

#### 1. Inventory and Assess
- Identify all Cisco SD-WAN systems in your environment.
- Collect artifacts, including virtual snapshots and logs, to support threat-hunting activities.

#### 2. Apply Patches
- Update all Cisco SD-WAN systems with the latest security patches.
- Refer to Cisco’s advisories for detailed guidance:
- [Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk)
- [Cisco Catalyst SD-WAN Vulnerabilities](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v)

#### 3. Hunt for Compromise
- Conduct threat-hunting activities to detect signs of exploitation.
- Use the [Cisco SD-WAN Threat Hunt Guide](https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf), co-authored by CISA and its partners.

#### 4. Harden Systems
- Follow Cisco’s [SD-WAN Hardening Guide](https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide) to secure your deployment. Key recommendations include:
- Network Perimeter Controls: Restrict access to control components using firewalls and isolate VPN interfaces.
- SD-WAN Manager Access: Replace self-signed certificates for the web UI.
- Control and Data Plane Security: Implement pairwise keys.
- Session Timeout: Configure the shortest possible session duration.
- Logging: Forward logs to a remote syslog server for centralized monitoring.

#### 5. Review CISA’s Directives
- FCEB agencies must comply with:
- [Emergency Directive 26-03](https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems): Outlines requirements for inventory, patching, and compromise assessment.
- [Supplemental Direction ED 26-03](https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems): Provides prescriptive actions for hardening and threat hunting.

---

Affected Systems

- Cisco SD-WAN vManage
- Cisco SD-WAN Controllers
- Cisco SD-WAN Edge Devices

---

Conclusion

The active exploitation of Cisco SD-WAN vulnerabilities CVE-2026-20127 and CVE-2022-20775 represents a critical threat to organizations worldwide. Immediate action is required to inventory, patch, and harden affected systems to prevent unauthorized access and potential breaches.

Organizations must prioritize threat-hunting activities and adhere to CISA’s directives and Cisco’s hardening guidance to mitigate risks effectively. Failure to act swiftly could result in severe operational, financial, and reputational consequences.

For more details, refer to the official advisories and resources linked in this article.

---

References

[^1]: CISA. "[Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems](https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems)". Retrieved 2025-01-24.
[^2]: CISA. "[Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems](https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems)". Retrieved 2025-01-24.
[^3]: Cisco. "[Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk)". Retrieved 2025-01-24.
[^4]: Cisco. "[Cisco Catalyst SD-WAN Vulnerabilities](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v)". Retrieved 2025-01-24.
[^5]: Cisco. "[Cisco Catalyst SD-WAN Hardening Guide](https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide)". Retrieved 2025-01-24.
[^6]: ASD’s ACSC. "[Cisco SD-WAN Threat Hunt Guide](https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf)". Retrieved 2025-01-24.