Five Eyes allies warn hackers are actively exploiting Cisco SD-WAN flaws

Cybersecurity agencies from the Five Eyes intelligence alliance urgently warned Wednesday that “an advanced threat actor” is actively exploiting new flaws in Cisco networking equipment, pressing organizations to look for signs their systems may already have been compromised.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive warning of a “cyber threat actor’s ongoing exploitation of Cisco SD-WAN systems,” describing the activity as presenting a significant risk to federal civilian executive branch networks.

The vulnerabilities cited in the alerts include CVE-2026-20127 and CVE-2022-20775, which have been linked to real-world exploitation. CISA said it has assessed that the conditions pose “an unacceptable risk to federal agencies and necessitate emergency action.”

The British National Cyber Security Centre (NCSC) also said “malicious cyber threat actors are targeting Cisco Catalyst Software Defined Wide Area Networks (SD-WAN) used by organisations globally,” underscoring that the activity is not limited to the United States.

The NCSC’s chief technology officer, Ollie Whitehouse, said organizations using the affected Cisco products “should urgently investigate their exposure to network compromise” and start to hunt for evidence that a compromise has taken place.

Cisco’s own advisory warns “multiple vulnerabilities” in its product “could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files.”

The company stressed the vulnerabilities “are not dependent on one another” and that exploitation of one of the vulnerabilities is not required to exploit another.

As part of the joint alert, the Australian Signals Directorate, the country’s cyber and signals intelligence agency, published a technical “hunt guide” to help organizations understand whether hackers are already inside their systems.

According to the guide, at least one malicious cyber actor has been compromising Cisco SD-WAN environments since 2023 using a zero-day vulnerability that was identified late last year and has since been patched.

“The vulnerability allowed a malicious cyber actor to create a rogue peer joined to the network management plane, or control plane, of an organisation’s SD-WAN,” the document says. “The rogue device appears as a new but temporary, actor-controlled SD-WAN component that can conduct trusted actions within the management and control plane.”

The hunt guide describes how attackers who gained this level of access were able to establish long-term persistence, including by obtaining root access and taking steps to evade detection, such as interfering with logging and other monitoring.

The agencies have not publicly identified the threat groups believed to be behind the activity.