(TLP:CLEAR) WaterISAC Notification – CISA Sends Emergency Directive to Mitigate Actively Exploited Vulnerabilities in Cisco SD-WAN Systems
Created: Thursday, February 26, 2026 - 9:33
Categories: Cybersecurity, Federal & State Resources, Security Preparedness
ACTION MAY BE REQUIRED for utilities that utilize Cisco Software-Defined Wide-Area Networking (SD-WAN) systems. Utilities that outsource technology support may need to consult with their service providers for assistance with remediation actions.
Summary: Today, CISA issued an Alert and Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems in response to cyber threat actors’ observed exploitation of Cisco Software-Defined Wide-Area Networking (SD‑WAN) systems on Federal Civilian and Executive Brach (FCEB) networks. While only FCEB agencies are required to implement CISA Emergency Directives (EDs), the risks extend to every organization and sector using these systems, and we strongly urge all utilities to review and adopt the actions outlined in the ED and associated resources.
Malicious cyber actors are targeting and compromising Cisco SD-WAN systems of organizations globally. These actors are exploiting multiple Cisco vulnerabilities, including CVE-2026-20127 and CVE-2022-20775, to ultimately gain root access and establish long-term persistence in SD-WAN systems across multiple industries.
In addition to the Alert and ED, CISA has also shared additional resources to support mitigation efforts:
- Supplemental Direction ED 26-03: Hunt & Hardening Guidance for Cisco SD-WAN Systems: This resource provides detailed instructions for implementing the requirements outlined in ED 26-03.
- Cisco SD-WAN Threat Hunt Guide: Developed in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre, the U.S. National Security Agency, and global partners, this guide supports network defenders in detecting and responding to malicious activity targeting SD-WAN systems.
- Cisco Catalyst SD-WAN Hardening Guidance: This guidance, developed by Cisco, provides actionable mitigations for network defenders to strengthen and secure SD-WAN networks.
Analyst Note: Threat actors frequently take advantage of software vulnerabilities in network edge devices to penetrate critical infrastructure networks and systems. WaterISAC partners have observed a rapid increase in attacks targeting these devices. In addition to the resources above, members are encouraged to review CISA’s “Guidance and Strategies to Protect Network Edge Devices” from last year, which outlines several strategies to better enhance network security and resilience before and after an incident.
Additionally, China-Nexus threat actors have shown increased interest in U.S. critical infrastructure, as well as the capability to remain undetected in target systems for extended periods of time. These threat actors have also shown a propensity to target Cisco edge devices to gain access to critical infrastructure entities.
Original Source: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
Additional Reading:
- (TLP:AMBER) Partner Report: Increase in Targeting of Network Edge Devices Vulnerabilities
- (TLP:CLEAR) CISA Releases Implementation Guidance for Emergency Directive 25-03 on CISCO ASA and Firepower Devices
- (TLP:CLEAR) Cisco Zero-Day Actively Exploited in Cisco Secure Email Gateway and Secure Email and Web Manager, China-Nexus Actors Suspected
Incident Reporting
WaterISAC encourages any members who have experienced malicious or suspicious activity to email an*****@*******ac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form.