For over three years, global threat actors have been secretly exploiting vulnerabilities in Cisco’s SD-WAN software, enabling unauthorized access to critical networks without detection. Despite the ongoing sophistication of cybersecurity tools, attackers managed to leverage these vulnerabilities to establish persistent footholds in high-value targets, including government agencies and infrastructure providers. The latest findings have prompted urgent action from multiple international authorities, highlighting the persistent challenges cybersecurity defenders face. Authorities stress the importance of systematic patching and monitoring, pointing out that some affected organizations may have difficulty fully remedying past breaches due to the duration of unmonitored activity.
When similar incidents involving Cisco edge technologies surfaced previously, detection lagged behind exploitation by more than a year, allowing attackers to operate undetected. Earlier attacks, which also used multiple zero-days, received emergency directives only after prolonged exposure, showing a recurring challenge in identifying these issues promptly. Comparing the current situation with prior cases reveals a consistent delay in both discovery and response—underscoring the systemic hurdles in threat intelligence sharing and vulnerability management across sectors.
How Did Cisco’s SD-WAN Vulnerabilities Get Exploited?
Security researchers identified two key zero-day vulnerabilities—CVE-2026-20127 and CVE-2022-20775—in Cisco’s SD-WAN software. Attackers first bypassed authentication with CVE-2026-20127, then downgraded the software to exploit CVE-2022-20775, enabling root-level access on targeted systems. This approach requires precise product knowledge and intent, as noted by Douglass McKee of Rapid7, who commented,
“That second step allows them to move from administrative control to root on the underlying operating system. That downgrade step shows deliberate knowledge of product versioning and patch history.”
What Action Are Authorities and Cisco Taking?
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive, requiring all federal agencies to inventory and patch affected Cisco SD-WAN systems without delay. Joint guidance was released by CISA and its Five Eyes partners to help organizations detect compromises and harden network defenses. Cisco emphasized the need for immediate software upgrades, sharing that
“Customers should upgrade vulnerable software and closely follow advisory guidance to minimize exposure.”
The urgency of these measures reflects concerns that attackers may still be active on compromised networks.
How Does This Campaign Compare to Earlier Attacks?
This campaign follows a pattern observed in previous Cisco-related attacks, where adversaries used advanced techniques to avoid detection for extended periods. Both the current and earlier incidents involved zero-day vulnerabilities being used in the wild for over a year prior to public disclosure. Experts suggest the discipline and stealth shown signal objectives more consistent with espionage than financial theft, as attackers navigate patch histories and avoid raising alarms.
Organizations relying on Cisco SD-WAN solutions must approach security with awareness that advanced threat actors remain persistent and patient in maintaining access. Regular auditing, timely patching, and incident response readiness remain essential when dealing with high-value infrastructure. For those whose systems may already be compromised, rebuilding environments and reviewing historic logs for intrusions is advised. Swift information sharing and collaboration between security vendors, government agencies, and the private sector are key to minimizing the risk and scope of such sophisticated campaigns.
