Cisco SD-WAN Exploitation: Critical Authentication Bypass & Escalation

Executive Summary

Global cybersecurity agencies, led by the Cybersecurity and Infrastructure Security Agency (CISA), have issued a critical alert regarding ongoing exploitation targeting Cisco Software-Defined Wide-Area Networking (SD-WAN) systems. Malicious cyber actors are actively leveraging two distinct vulnerabilities, CVE-2026-20127 and CVE-2022-20775, to gain initial access, escalate privileges, and establish long-term persistence within affected environments. CISA has added both CVEs to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring the severe and immediate risk they pose. This advisory, developed in collaboration with NSA, ASD’s ACSC, Cyber Centre, NCSC-NZ, and NCSC-UK, urges immediate action from network defenders to identify, patch, and harden Cisco SD-WAN deployments worldwide, as detailed in the official guidance from CISA and partners.

Technical Analysis

The observed attack chain against Cisco SD-WAN systems highlights a sophisticated approach by threat actors to compromise critical network infrastructure. The primary vector for initial access is the exploitation of CVE-2026-20127, an authentication bypass vulnerability that was previously undisclosed. This allows adversaries to circumvent security controls and gain unauthorized entry into the SD-WAN environment.

Attack Chain & Exploitation

Once initial access is established via CVE-2026-20127, actors proceed to escalate privileges using CVE-2022-20775. This privilege escalation is a critical step, granting them elevated permissions necessary to conduct further malicious activities, including establishing long-term persistence mechanisms within the compromised Cisco SD-WAN systems. The ability to maintain persistence ensures continued access even after potential reboots or initial mitigation attempts, posing a significant challenge for incident responders.

CISA’s inclusion of both vulnerabilities in its KEV Catalog on February 25, 2026, serves as a strong indicator that these flaws are not merely theoretical but are actively being exploited in the wild. The focus on Cisco SD-WAN systems is particularly concerning given their role in managing and securing enterprise network traffic, making them high-value targets for espionage, data exfiltration, or disruptive attacks.

Actionable Recommendations

Given the active and critical nature of these exploits, immediate and decisive action is required for all organizations utilizing Cisco SD-WAN systems. CISA has outlined specific requirements for Federal Civilian Executive Branch (FCEB) agencies in Emergency Directive (ED) 26-03 and Supplemental Direction ED 26-03, which provide a robust framework for all organizations to follow.

Immediate Mitigation Steps

1. Inventory All Systems: Identify and document all in-scope Cisco SD-WAN systems within your network immediately.
2. Collect Artifacts: Gather virtual snapshots and logs from SD-WAN systems to support ongoing threat hunting and forensic analysis. This data is vital for detecting evidence of compromise.
3. Apply Patches: Fully patch all identified Cisco SD-WAN systems with the latest available updates provided by Cisco. Refer to Cisco’s advisories: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability and Cisco Catalyst SD-WAN Vulnerabilities.
4. Threat Hunt: Actively hunt for evidence of compromise using indicators of compromise (IOCs) and methodologies provided in the Cisco SD-WAN Threat Hunt Guide, co-sealed by the authoring organizations.
5. Review Hardening Guidance: Concurrently review and implement recommendations from Cisco’s latest security advisories and the Cisco Catalyst SD-WAN Hardening Guide.

Long-Term Hardening Measures

Organizations should implement comprehensive hardening measures to reduce the attack surface and enhance the resilience of Cisco SD-WAN deployments. Key recommendations from Cisco’s hardening guide include:

• Network Perimeter Controls:
  • Ensure control components are positioned behind a firewall.
  • Isolate VPN 512 interfaces.
  • Utilize IP blocks for manually provisioned edge IPs to restrict unauthorized access.
• SD-WAN Manager Access:
  • Replace the default self-signed certificate for the web user interface with a trusted certificate.
• Control and Data Plane Security:
  • Implement pairwise keys for enhanced authentication and encryption between components.
• Session Management:
  • Configure session timeouts to the shortest possible duration to minimize the window of opportunity for unauthorized access.
• Logging:
  • Ensure all logs are forwarded to a remote syslog server for centralized monitoring, analysis, and tamper resistance.

Adhering to these recommendations is vital for mitigating the immediate threat and fortifying Cisco SD-WAN infrastructure against future attacks.