CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems
Summary
CISA and partner agencies have released guidance for organizations using Cisco SD-WAN systems due to ongoing exploitation of multiple vulnerabilities, including CVE-2026-20127 and CVE-2022-20775, which have been added to CISA's KEV catalog. Threat actors are exploiting an authentication bypass vulnerability (CVE-2026-20127) for initial access and escalating privileges using CVE-2022-20775 to establish persistence.
IFF Assessment
Exploitation of Cisco SD-WAN vulnerabilities by malicious actors poses a threat to organizations.
Severity
Defender Context
Organizations using Cisco SD-WAN systems should immediately inventory their systems, collect artifacts for threat hunting, apply available patches, hunt for evidence of compromise, and review Cisco's security advisories and hardening guidance. The exploitation of SD-WAN devices can provide a foothold into an organization's network, highlighting the importance of prompt patching and proactive monitoring.