Software updates available: SD-WAN controllers play a central role in orchestrating traffic across distributed enterprise networks, including branch offices and cloud environments. Compromise at the controller level could provide attackers with broad visibility and control across large portions of an organization’s network infrastructure.In a separate security advisory, Cisco confirmed the vulnerability and released software updates to address it. According to the company, the flaw stems from insufficient validation of authentication requests within the SD-WAN peering process. An attacker sending specially crafted traffic could gain unauthorized access to the system and interact with internal interfaces.Cisco said there are no workarounds for the vulnerability and urged customers to apply available patches immediately. The company also recommended reviewing system logs, validating controller integrity, and implementing additional hardening measures where possible.CISA and other Five Eyes agencies advise organizations operating Cisco SD-WAN systems to prioritize patch deployment and conduct thorough compromise assessments to determine whether exploitation has already occurred.CISA and the authoring organizations strongly urge network defenders to take the following steps immediately:
Inventory all in-scope Cisco SD-WAN systems.Collect artifacts, including virtual snapshots and logs of SD-WAN systems.Patch Cisco SD-WAN systems, including for CVE-2026-20127 and CVE-2022-20775.Hunt for evidence of compromise.Implement as outlined in Cisco’s Catalyst SD-WAN Hardening Guide and review their blog.
Disclosure comes amid strain at CISA: The disclosure comes amid heightened scrutiny of network infrastructure security. It also comes at a time when CISA, facing staffing reductions and operating under constraints tied to the ongoing Department of Homeland Security shutdown, is managing limited resources during a period of elevated threat activity.CISA’s Andersen, however, said that despite the ongoing multi-week Department of Homeland Security shutdown, “CISA remains fully committed to protecting federal networks from a malicious separate threat.”Emergency directives are binding on federal civilian agencies and are reserved for vulnerabilities that pose significant, immediate threats. Although the order applies specifically to government networks, CISA frequently encourages private-sector organizations to follow similar remediation timelines when critical vulnerabilities are being exploited in the wild.
Shift toward control plane targets: The coordinated disclosures from Talos, Cisco, and the government agencies highlight an ongoing shift in attacker priorities. Rather than targeting only endpoints or user-facing applications, sophisticated groups are increasingly pursuing control-plane technologies such as SD-WAN, firewalls, and identity systems that offer strategic network access.Compromising SD-WAN infrastructure can yield high operational leverage. Because controllers manage routing, policy enforcement, and device authentication across distributed environments, an attacker with privileged access could disrupt traffic flows, redirect communications, or use the position to move laterally into cloud and on-premises assets.The disclosures also reinforce long-standing concerns about the risk window between the discovery of a vulnerability and the deployment of patches. In this case, Talos indicated that exploitation activity may have preceded public disclosure by a significant period, suggesting that attackers were able to leverage the flaw before customers were aware of it.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4137562/five-eyes-issue-emergency-directive-on-exploited-cisco-sd-wan-zero-day.html
