Cybersecurity agencies across the Five Eyes alliance have issued an emergency directive warning that a critical Cisco SD-WAN vulnerability is being actively exploited to gain unauthorized access to federal networks. Officials confirmed that threat actors are targeting core SD-WAN control systems and urged organizations to patch affected devices immediately.
Cisco’s Talos threat intelligence group disclosed that attackers have been exploiting a previously unknown vulnerability affecting Cisco Catalyst SD-WAN controllers, tracked as CVE-2026-20127. The flaw allows an unauthenticated attacker to bypass authentication controls and gain administrative-level access to vulnerable SD-WAN control plane components. Talos said evidence suggests exploitation may have begun as early as 2023.
Nick Andersen, executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency, said during a media briefing that threat actors are actively attempting to access federal networks through exploitation of the flaw. He warned that the activity appears to be increasing but did not identify which agencies were affected.
“We continue to see the volumetric increase in both threat actor behavior and the extension of the attack surface that they’re targeting,” Andersen said. CISA is not currently attributing the activity to a specific threat actor.
SD-WAN controllers play a central role in orchestrating traffic across distributed enterprise networks, including branch offices and cloud environments. Compromise at the controller level could provide attackers with broad visibility and control across large portions of an organization’s network infrastructure.
In a separate security advisory, Cisco confirmed the vulnerability and released software updates to address it. According to the company, the flaw stems from insufficient validation of authentication requests within the SD-WAN peering process. Cisco said there are no workarounds for the vulnerability and urged customers to apply available patches immediately.
CISA and other Five Eyes agencies advise organizations operating Cisco SD-WAN systems to prioritize patch deployment and conduct thorough compromise assessments. The agencies recommend organizations immediately inventory all Cisco SD-WAN systems, collect artifacts including virtual snapshots and logs, and hunt for evidence of compromise.
The disclosure comes amid heightened scrutiny of network infrastructure security and highlights an ongoing shift in attacker priorities toward control-plane technologies such as SD-WAN, firewalls, and identity systems. Emergency directives are binding on federal civilian agencies and are reserved for vulnerabilities that pose significant, immediate threats.
