CISA Adds Two Cisco SD-WAN Exploits to KEV Catalog

Executive Summary

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog by adding two new vulnerabilities affecting Cisco Catalyst SD-WAN solutions. These vulnerabilities, identified as CVE-2022-20775 and CVE-2026-20127, have confirmed evidence of active exploitation by malicious cyber actors. Their inclusion in the KEV Catalog underscores their significant risk to organizations, prompting a mandatory remediation directive for Federal Civilian Executive Branch (FCEB) agencies and a strong recommendation for all other entities to address these issues promptly. The presence of actively exploited flaws in critical network infrastructure components necessitates immediate attention to prevent potential network compromise and data exfiltration.

Technical Analysis of Exploited Vulnerabilities

CISA’s addition of these two vulnerabilities to the KEV Catalog highlights a direct threat to the integrity and availability of networks leveraging Cisco Catalyst SD-WAN products. According to CISA, these types of vulnerabilities are frequent attack vectors and pose significant risks.

CVE-2022-20775: Cisco Catalyst SD-WAN Path Traversal Vulnerability

This vulnerability impacts Cisco Catalyst SD-WAN, allowing an unauthenticated, remote attacker to perform directory traversal. In a path traversal attack, an attacker exploits insufficient security validation of user-supplied input file names to access restricted directories and potentially execute commands outside of intended directories. Such an exploit could grant access to sensitive system information, configuration files, or other critical data, potentially leading to further system compromise or unauthorized configuration changes within the SD-WAN infrastructure.

CVE-2026-20127: Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability

This flaw affects the Cisco Catalyst SD-WAN Controller and Manager, enabling an unauthenticated, remote attacker to bypass authentication mechanisms. An authentication bypass vulnerability is particularly severe as it allows unauthorized individuals to gain administrative or privileged access to a system without valid credentials. In the context of an SD-WAN Controller and Manager, this could grant an attacker full control over the network’s routing, policies, and connected devices, leading to extensive network disruption, data interception, or the establishment of persistent backdoors.

Broader Context: CISA’s KEV Catalog and BOD 22-01

The KEV Catalog, established by Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, serves as a living repository of vulnerabilities proven to be actively exploited in the wild. BOD 22-01 mandates FCEB agencies to remediate these vulnerabilities by specified due dates to protect federal networks. While the directive applies specifically to FCEB agencies, CISA strongly advises all organizations—public and private sector alike—to integrate the KEV Catalog into their vulnerability management practices. The rationale is clear: if a vulnerability is being actively exploited against federal entities, it represents a generalized threat that can impact any organization running the affected software. Prioritizing these remediations is a foundational step in reducing overall cyberattack exposure.

Actionable Recommendations and Mitigations

Organizations leveraging Cisco Catalyst SD-WAN solutions, or similar network infrastructure, must take immediate steps to mitigate the risks posed by these actively exploited vulnerabilities. Effective response should prioritize the following:

• Immediate Patching: Review your Cisco Catalyst SD-WAN deployments and apply all available security patches and updates from Cisco that address CVE-2022-20775 and CVE-2026-20127. Adhere to vendor-specific instructions for patching to ensure full remediation and prevent service disruption.
• Vulnerability Management Integration: Incorporate the CISA KEV Catalog as a high-priority input into your organization’s continuous vulnerability management program. Regularly check the catalog for new additions and prioritize remediation efforts accordingly.
• Network Segmentation: Ensure that critical network management interfaces, such as those for SD-WAN controllers, are isolated and not directly exposed to the internet. Implement strict network segmentation to limit the blast radius of any potential compromise.
• Enhanced Monitoring and Logging: Deploy robust logging and monitoring solutions to detect anomalous activities, unusual access patterns, or configuration changes on Cisco Catalyst SD-WAN components. Pay particular attention to authentication attempts and file access logs.
• Review Access Controls: Conduct an audit of administrative access to your SD-WAN infrastructure. Implement strong authentication mechanisms, including multi-factor authentication (MFA), and enforce the principle of least privilege for all users and services.
• Incident Response Planning: Ensure your incident response plan includes specific procedures for compromised network infrastructure devices, covering detection, containment, eradication, and recovery steps related to SD-WAN platforms.