US EditionCritical Cisco SD-WAN bug exploited in zero-day attacks since 2023
Federal agencies must patch Cisco SD-WAN vulnerability CVE-2026-20127 by Feb 27, as zero-day exploits enable attackers to gain persistent root access, CISA warns.
- On February 25, 2026, CISA issued Emergency Directive 26-03 requiring Federal Civilian Executive Branch agencies to inventory Cisco SD‑WAN systems and collect forensic artifacts, citing ongoing exploitation as an imminent threat.
- Cisco said CVE-2026-20127 stems from a peering authentication mechanism failure and impacts Cisco Catalyst SD‑WAN Controller and Manager with a maximum severity of 10.0, credited ASD's ACSC for reporting it.
- Talos and partner advisories show attackers exploit authentication bypass to add rogue peers and use CVE-2022-20775 for root access; indicators include unexpected root logins and unauthorized SSH keys.
- Federal agencies must apply patches by 5:00 PM ET on February 27, 2026 and report compliance to the secretary of homeland security, the national cyber director and Office of Management and Budget by May 1.
- International partners urged nonfederal organizations to patch and harden affected devices, isolate SD-WAN management interfaces, forward logs externally, and apply Cisco hardening guidance as soon as practicable.
17 Articles
17 Articles
Governments issue warning over Cisco zero-day attacks dating back to 2023
Attackers have been exploiting a pair of zero-day vulnerabilities in Cisco’s network edge software for at least three years, and the global campaign is ongoing, authorities said across a series of warnings released Wednesday. The Cybersecurity and Infrastructure Security Agency issued an emergency directive about the global attacks and issued joint guidance with the Five Eyes to help defenders respond and hunt for evidence of compromise. This ma…
BleepingComputer
cybernoz.comCritical Cisco SD-WAN bug exploited in zero-day attacks since 2023
Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks.
Cisco SD-WAN Zero-Day Exploited For 3Yrs Before Detection
Cisco Talos disclosed that a highly sophisticated threat actor exploited a critical authentication bypass vulnerability in Cisco SD-WAN infrastructure for at least three years before security researchers discovered the zero-day attacks. The vulnerability, tracked as CVE-2026-20127 with a maximum CVSS severity score of 10.0, allowed unauthenticated remote attackers to gain administrative privileges and add malicious rogue peers to enterprise netw…
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
