Five Eyes allies warn hackers are actively exploiting Cisco SD-WAN flaws

Steven

Five Eyes allies warn hackers are actively exploiting Cisco SD-WAN flaws

Summary

Cybersecurity agencies from the Five Eyes alliance have issued urgent warnings that “an advanced threat actor” is actively exploiting multiple vulnerabilities in Cisco SD-WAN and Catalyst SD-WAN products. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive (ED-26-03) describing ongoing exploitation that poses an unacceptable risk to federal civilian networks. The alerts reference CVE-2026-20127 and CVE-2022-20775 among other flaws that have seen real-world attacks.

The UK NCSC and Australia’s cyber agency (ASD) joined the alerting, with ASD publishing a technical hunt guide to help organisations detect intrusions. Cisco’s advisory warns that multiple, independent vulnerabilities could allow attackers to access affected systems, escalate to root, read sensitive data and overwrite arbitrary files. At least one actor has reportedly exploited a zero-day since 2023 to create rogue peers on the SD-WAN control/management plane, enabling persistent, stealthy access and interference with logging and monitoring.

Key Points

  • Five Eyes partners (CISA, NCSC, ASD and others) warn of active exploitation of Cisco SD-WAN vulnerabilities.
  • CISA issued an emergency directive (ED-26-03) due to the unacceptable risk to federal networks.
  • Vulnerabilities implicated include CVE-2026-20127 and CVE-2022-20775; Cisco confirms multiple independent flaws.
  • Attackers have used a zero-day since 2023 to create rogue SD-WAN peers on the management/control plane.
  • Compromises enabled root access, long-term persistence and anti-detection measures such as log interference.
  • ASD published a detailed hunt guide to help organisations check for indicators of compromise.
  • The agencies have not publicly named the threat groups conducting the activity.

Why should I read this?

Short version: if you run Cisco SD‑WAN, this is urgent — attackers are already in the wild and staying put. Read this so you know which CVEs to prioritise, which behaviours to hunt for (rogue peers, tampered logs, unexpected root activity), and where to find the official guidance and hunt playbooks you need to act now.

Context and relevance

This alert matters because SD‑WAN is a control plane technology that, when compromised, gives attackers trusted actions across an organisation’s network fabric. The cross‑national Five Eyes advisory and CISA emergency directive underline the severity and systemic risk: it’s not just isolated incidents, it’s a pattern affecting public and private sectors globally. Network teams, security operations, MSPs and CISOs should treat this as a high‑priority incident — patch where possible, run the ASD hunt guide, validate monitoring and isolate affected components.

Source

Source: https://therecord.media/five-eyes-warn-hackers-exploit-cisco-sd-wan