CISA orders all federal agencies to patch exploited bug in Cisco SD-WAN systems by Sunday

Federal agencies have until Sunday to patch a new critical vulnerability in Cisco SD-WAN systems after the bug was discovered by incident responders in March. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said CVE-2026-20182 is a critical vulnerability tied to a previous campaign that caused international alarm in February. 

Cisco released a patch for the vulnerability on Thursday, writing in an advisory that it could “allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.” 

The company said the bug carries the maximum 10 out of 10 severity score and that exploitation was observed this month.  

In its own notice, CISA said federal agencies should not only apply the patch released by Cisco but follow additional guidance that was released in an emergency directive in February. That directive ordered all agencies to identify all Cisco SD-WAN systems within their networks, collect logs, hunt for evidence of compromise and provide all of the information to CISA within days.

CISA did not respond to requests for comment about what the new deadlines are for information that needs to be sent to them. 

Incident responders from Rapid7 discovered the vulnerability while researching the previous bug, which was similar but located in a different part of the networking stack. Douglas McKee, director of vulnerability intelligence at Rapid7, said in a blog post that the vulnerability “behaves like a master key.” 

“An attacker can present themselves to the controller as a trusted network router and, if the system accepts that claim without properly validating it, they can obtain the highest level of administrative access,” he said. 

“That is the cybersecurity version of a Jedi mind trick. The controller is effectively told to trust something it has no business trusting, as if an attacker waves a hand and says, ‘these are not the droids you are looking for.’ And with CVE-2026-20182, the controller just nods and lets them pass.”

The emergency directive released by CISA in February was coordinated with cybersecurity agencies from the Five Eyes intelligence alliance. All of the agencies urgently warned at the time that “an advanced threat actor” was actively exploiting the flaws in Cisco networking equipment.

McKee noted in his blog post that like the bug from February, CVE-2026-20182 is “ideal” for nation-state actors looking to pre-position themselves on victim networks. 

“They are usually not looking for a smash and grab. They want persistence. They want access that blends in. They want to sit in the right place long enough to observe, influence, and pivot when the time is right,” McKee wrote. “An SD-WAN controller is a great place to do that, because it lives in the middle of trust relationships most organizations rarely question.”