WaterISAC Notification – CISA Sends Emergency Directive to Mitigate Actively Exploited Vulnerabilities in Cisco SD-WAN Systems

(TLP:CLEAR) Yesterday, CISA issued an alert and “Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems” in response to cyber threat actors’ observed exploitation of Cisco Software-Defined Wide-Area Networking (SD‑WAN) systems on Federal Civilian and Executive Brach (FCEB) networks. While only FCEB agencies are required to implement CISA Emergency Directives (EDs), the risks extend to every organization and sector using these systems, and we strongly urge all utilities to review and adopt the actions outlined in the ED and associated resources.

Malicious cyber actors are targeting and compromising Cisco SD-WAN systems of organizations globally. These actors are exploiting multiple Cisco vulnerabilities, including CVE-2026-20127 and CVE-2022-20775, to ultimately gain root access and establish long-term persistence in SD-WAN systems across multiple industries.