Cisco has disclosed a critical zero-day vulnerability in its core network software that hackers have exploited since 2023. The flaw carries a maximum severity score of 10 out of 10.
Unauthenticated remote attackers can exploit the bug to bypass authentication mechanisms. This allows them to quickly obtain administrative privileges on corporate network virtual control rooms.
Affected Systems and Impact
The vulnerability, officially tracked as CVE-2026-20127, impacts Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. These specific systems act as critical control components for geographically distributed office locations.
According to Cisco, threat actors exploit a faulty peering authentication mechanism by sending crafted requests. Once inside, intruders can manipulate the network configuration to secretly redirect, block, or intercept corporate traffic.
CISA Issues Emergency Directive
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive regarding the active exploitation. CISA confirmed that hackers use the rogue device access to escalate privileges and maintain network persistence.
The Australian Signals Directorate’s Australian Cyber Security Centre originally discovered and reported the ongoing attacks to Cisco. CISA warns that malicious activity likely began in 2023, urging organizations to expand their threat-hunting timelines accordingly. Security experts observed hackers deleting forensic artifacts and clearing logs to evade detection.
Immediate Mitigation and Required Actions
Cisco has released emergency software updates to fix CVE-2026-20127. The tech giant states there are no alternative workarounds available, making immediate patching strictly essential.
To fully secure affected networks, CISA and Cisco recommend organizations implement the following mitigation steps:
Upgrade affected SD-WAN systems to the latest fixed software releases provided by Cisco.
Restrict system access to known hosts and protect control components behind strict firewalls.
Actively hunt for lateral movement, as hackers have been observed moving outside the SD-WAN environment.
Deploy fresh infrastructure from patched images if a root account compromise is detected.
Federal agencies face strict deadlines to ensure external log collection and completely apply the Cisco-provided updates. Administrators must report any findings of compromised systems immediately to federal authorities.
