CISA Emergency Directive 26-03 Orders Federal Agencies to Patch Actively Exploited Cisco SD-WAN Flaw
CISA has issued Emergency Directive 26-03 over active exploitation of CVE-2026-20127, a critical authentication bypass in Cisco Catalyst SD-WAN that gives unauthenticated attackers administrative access to federal networks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-03, ordering federal agencies to urgently address active exploitation of a critical vulnerability in Cisco Catalyst SD-WAN infrastructure. The flaw, tracked as CVE-2026-20127, carries a CVSS severity score of 10 and allows unauthenticated attackers to gain administrative access to SD-WAN appliances, potentially enabling them to manipulate network configurations or disrupt traffic across government systems.
Cisco Catalyst SD-WAN is widely deployed across federal civilian executive branch agencies to manage distributed enterprise networks. The vulnerability affects the web-based management interface of the SD-WAN controllers, which are used to orchestrate and monitor distributed enterprise networks. Successful exploitation could grant attackers broad control over key communications infrastructure, making this a high-priority threat for national security.
Under Emergency Directive 26-03, federal agencies must immediately identify all affected Cisco SD-WAN systems and submit an inventory to CISA. Agencies are also required to configure devices to store logs externally, collect forensic artifacts, and apply vendor security updates. The directive mandates that agencies hunt for evidence of compromise and rebuild infrastructure if root access is detected. All remediation and logging actions must be reported to CISA by multiple deadlines through March 23, 2026.
The directive also requires agencies to provide logging data through CISA’s Cloud Logging Aggregation Warehouse program, allowing investigators to analyze activity across networks. The requirements apply to IT environments operated directly by agencies and those hosted by third-party providers on their behalf.
Security experts say the directive’s emphasis on artifact collection and centralized logging suggests investigators are working to determine how widely the vulnerabilities may have been used. “CISA has clear reason to believe that these vulnerabilities have been, and likely continue to be, exploited by threat actors to compromise government systems and networks,” said Bobby Kuzma, director of offensive operations at ProCircular. “The requests for artifact collection and submission make it clear they’re working to identify the scope of the threat.”
While the directive applies only to federal civilian executive branch agencies, Kuzma advised that private sector organizations using Cisco SD-WAN appliances should also take immediate action. “If you have Cisco SD-WAN appliances in your environment, this is a good time to collect artifacts and review patch statuses and logs,” he added.
CISA’s emergency directives are legally binding for federal agencies under the Cybersecurity and Infrastructure Security Agency Act of 2018. The agency has issued only a handful of emergency directives in recent years, typically in response to widespread, active exploitation of critical vulnerabilities affecting government systems. This latest directive underscores the severity of the Cisco SD-WAN flaw and the urgency of patching to prevent network-level compromises.