A newly issued emergency directive from the US Cybersecurity and Infrastructure Security Agency (CISA) has warned that attackers are actively exploiting vulnerabilities in Cisco Catalyst SD-WAN infrastructure used across US federal networks.
The directive, known as Emergency Directive 26-03, orders federal agencies to urgently identify affected systems, collect forensic evidence, apply security updates and investigate potential compromises.
The warning centers on a flaw tracked as CVE-2026-20127, described as a critical authentication bypass vulnerability with a CVSS severity score of 10. Security officials say the bug could allow an unauthenticated attacker to obtain administrative access to SD-WAN infrastructure.
Such access could enable threat actors to manipulate network configurations or disrupt traffic across government systems. The affected technology is widely used to manage distributed enterprise networks, meaning successful exploitation could grant attackers broad control over key communications infrastructure.
Agencies Ordered to Collect Evidence and Patch Systems
Federal agencies must carry out a sequence of actions under the directive:
-
Identify all affected Cisco SD-WAN systems and submit an inventory to CISA
-
Configure devices to store logs externally and collect forensic artifacts
-
Apply vendor security updates addressing the listed vulnerabilities
-
Hunt for evidence of compromise and rebuild infrastructure if root access is detected
-
Report remediation and logging actions to CISA by multiple deadlines through March 23, 2026
The directive also requires agencies to provide logging data through CISA’s Cloud Logging Aggregation Warehouse program, allowing investigators to analyze activity across networks. The requirements apply to federal civilian executive branch systems, including IT environments operated directly by agencies and those hosted by third-party providers on their behalf.
Directive Signals Ongoing Investigation Into Exploitation
Security specialists say the directive’s emphasis on artifact collection and centralized logging suggests investigators are working to determine how widely the vulnerabilities may have been used.
“CISA has clear reason to believe that these vulnerabilities have been, and likely continue to be, exploited by threat actors to compromise government systems and networks,” Bobby Kuzma, director of offensive operations at ProCircular, said. “The requests for artifact collection and submission make it clear they’re working to identify the scope of the threat.
“While contractors and civilian organizations are not required or requested to follow similar collection steps, if you have Cisco SD-WAN appliances in your environment, this is a good time to collect artifacts and review patch statuses and logs,” Kuzma added.
Federal agencies are required by law to comply with emergency directives issued by CISA when significant cybersecurity threats to government systems are identified.
Image credit: PJ McDonnell / Shutterstock.com