(TLP:CLEAR) CISA Issues Update to Its Emergency Directive: Mitigate Vulnerabilities in Cisco SD-WAN Systems
Created: Thursday, March 12, 2026 - 13:39
Categories: Cybersecurity, Federal & State Resources, Security Preparedness
Summary: Yesterday, CISA released an update to “Emergency Directive (ED) 26-03: Mitigate Vulnerabilities in Cisco Software-Defined Wide-Area Networking (SD-WAN) Systems” that requires new actions and an additional reporting requirement for federal agencies running affected products.
Federal Civilian Executive Branch (FCEB) agencies are directed to take additional actions outlined in the update involving Cisco SD-WAN systems on agency networks or hosted by third parties on an agency’s behalf.
The original ED came in response to cyber threat actors’ observed exploitation of Cisco SD-WAN systems on Federal Civilian and Executive Branch (FCEB) networks. In addition, threat actors have been seen targeting and compromising SD-WAN systems of organizations (not only government networks) globally. These actors have exploited multiple Cisco vulnerabilities, including CVE-2026-20127 and CVE-2022-20775, to ultimately gain root access and establish long-term persistence in SD-WAN systems across multiple industries. While only FCEB agencies are required to implement CISA EDs, the risks extend to every organization and sector using these systems, and WaterISAC strongly urges all utilities to review and adopt the actions outlined in the ED and associated resources.
CISA also updated its Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems to provide prescriptive actions for FCEB agencies and other organizations.
Analyst Note: Threat actors frequently take advantage of software vulnerabilities in network edge devices to penetrate critical infrastructure networks and systems. WaterISAC partners have observed a rapid increase in attacks targeting these devices. In addition to the resources above, WaterISAC encourages members to review CISA’s “Guidance and Strategies to Protect Network Edge Devices” from last year, which outlines several strategies to better enhance network security and resilience before and after an incident.
Additionally, China-nexus threat actors have shown increased interest in U.S. critical infrastructure, as well as the capability to remain undetected in target systems for extended periods of time. These threat actors have also shown a propensity to target Cisco edge devices to gain access to critical infrastructure entities.
Original Source: https://www.cisa.gov/news-events/directives/v1-ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
Additional Reading:
- (TLP:CLEAR) WaterISAC Notification – CISA Sends Emergency Directive to Mitigate Actively Exploited Vulnerabilities in Cisco SD-WAN Systems
- Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems
- (TLP:CLEAR) Cisco Zero-Day Actively Exploited in Cisco Secure Email Gateway and Secure Email and Web Manager, China-Nexus Actors Suspected
- (TLP:AMBER) Partner Report: Increase in Targeting of Network Edge Devices Vulnerabilities
Related WaterISAC PIRs: 6, 6.1, 7, 7.1, 8, 10, 10.2, 12