Critical alert: exploitation of Cisco SD-WAN appliances

The Australian Cyber Security Centre (ACSC) last night (26 February) released a critical alert that malicious cyberthreat actors are targeting SD-WANs of organisations globally thorough an exploitation of Cisco Software-Defined Wide Area Network (SD-WAN) technology, including via CVE-2026-20127.

Those organisations using Cisco Catalyst SD-WAN technology are urged to act now to investigate and mitigate.

CVE-2026-20127 refers to a Cisco Catalyst SD-WAN controller authentication bypass vulnerability. After exploitation of this vulnerability the malicious actors add a rogue peer, and eventually gain root access to establish long-term persistence in SD-WANs.

The following agencies, hereafter referred to as the authoring organisations, released a Cisco SD-WAN Threat Hunt Guide (the Hunt Guide), based on investigative data, to support network defenders’ detection of and response to the malicious actors’ threat activity:

The Hunt Guide is being released by the following authoring and co-sealing agencies:

• United States National Security Agency (NSA)
• United States Cybersecurity and Infrastructure Security Agency (CISA)
• Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
• Canadian Centre for Cyber Security (Cyber Centre)
• New Zealand National Cyber Security Centre (NCSC-NZ)
• United Kingdom National Cyber Security Centre (NCSC-UK).
   

The authoring organisations strongly urge network defenders to:

• Collect artefacts, including virtual snapshots and logs off SD-WAN technology.
• Review Cisco’s advisories Cisco Catalyst SD-WAN Vulnerabilities and Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability and fully patch SD-WAN technology, including for CVE-2026-20127.
• Hunt for evidence of compromise as detailed in the Hunt Guide.
• Implement the Cisco Catalyst SD-WAN Hardening Guide.
   

Cisco’s Catalyst SD-WAN hardening guidance should be reviewed in full and includes advice on the following:

• Network perimeter controls: Ensure control components are behind a firewall, isolate VPN 512 interfaces, and use IP blocks for manually provisioned edge IPs.
• SD-WAN manager access: Replace the self-signed certificate for the web user interface.
• Control and data plane security: Use pairwise keying.
• Session timeout: Limit to the shortest period possible.
• Logging: Forward to a remote syslog server.
   

ASD's ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations or individuals that have been impacted or require assistance can contact the ACSC via 1300 CYBER1 (1300 292 371).

Links

• Cisco’s Cisco Catalyst SD-WAN Hardening Guide
• ASD’s ACSC’s Cisco SD-WAN Threat Hunt Guide co-sealed by NSA, CISA, Cyber Centre, NCSC-NZ, and NCSC-UK
• Cisco’s blog
• Cisco’s advisory for CVE-2026-20127
• Cisco’s advisory for CVE-2026-20122, CVE-2026-20126 and CVE-2026-20128.
   

Image credit: iStock.com/peshkov