CISA Emergency Directive 26-03 warns of active exploitation of CVE-2026-20127, a critical authentication bypass vulnerability (CVSS 10.0) in Cisco Catalyst SD-WAN Manager that allows unauthenticated attackers to gain administrative access. Affected versions are Cisco Catalyst SD-WAN Manager before 20.9.8.2, 20.11.x before 20.12.5.3, 20.13.x before 20.15.4.2, 20.16.x before 20.18.2.1, and version 20.12.6. Organizations must immediately apply the relevant fixed versions (20.9.8.2, 20.12.5.3, 20.15.4.2, or 20.18.2.1), collect forensic artifacts, and investigate for signs of compromise.
A newly issued emergency directive from the US Cybersecurity and Infrastructure Security Agency (CISA) has warned that attackers are actively exploiting vulnerabilities in Cisco Catalyst SD-WAN infrastructure used across US federal networks. The directive, known as Emergency Directive 26-03 , orders federal agencies to urgently identify affected systems, collect forensic evidence, apply security updates and investigate potential compromises. The warning centers on a flaw tracked as CVE-2026-20127 , described as a critical authentication bypass vulnerability with a CVSS severity score of 10. Security officials say the bug could allow an unauthenticated attacker to obtain administrative access to SD-WAN infrastructure. Such access could enable threat actors to manipulate network configurations or disrupt traffic across government systems. The affected technology is widely used to manage distributed enterprise networks, meaning successful exploitation could grant attackers broad control over key communications infrastructure. Agencies Ordered to Collect Evidence and Patch Systems Federal agencies must carry out a sequence of actions under the directive: Identify all affected Cisco SD-WAN systems and submit an inventory to CISA Configure devices to store logs externally and collect forensic artifacts Apply vendor security updates addressing the listed vulnerabilities Hunt for evidence of compromise and rebuild infrastructure if root access is detected Report remediation and logging actions to CISA by multiple deadlines through March 23, 2026 Read more on enterprise network security: Zero‑Day Attacks on Enterprise Software Reach Record High, Google Warns The directive also requires agencies to provide logging data through CISA’s Cloud Logging Aggregation Warehouse program, allowing investigators to analyze activity across networks. The requirements apply to federal civilian executive branch systems, including IT environments operated directly by agencies and those hosted by third-party providers on their behalf. Directive Signals Ongoing Investigation Into Exploitation Security specialists say the directive’s emphasis on artifact collection and centralized logging suggests investigators are working to determine how widely the vulnerabilities may have been used. “CISA has clear reason to believe that these vulnerabilities have been, and likely continue to be, exploited by threat actors to compromise government systems and networks,” Bobby Kuzma, director of offensive operations at ProCircular, said. “The requests for artifact collection and submission make it clear they’re working to identify the scope of the threat. “While contractors and civilian organizations are not required or requested to follow similar collection steps, if you have Cisco SD-WAN appliances in your environment, this is a good time to collect artifacts and review patch statuses and logs,” Kuzma added. Federal agencies are required by law to comply with emergency directives issued by CISA when significant cybersecurity threats to government systems are identified. Image credit: PJ McDonnell / Shutterstock.com