WASHINGTON — The Cybersecurity and Infrastructure Security Agency (CISA) today issued Emergency Directive (ED) 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems and Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems, in response to a significant cyber threat targeting federal networks utilizing certain Cisco systems and software. CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require immediate action.
“CISA remains unwavering in its commitment to protect our federal networks from malicious cyber threat actors despite the multi-week government shutdown of the Department of Homeland Security (DHS),” said CISA Acting Director Dr. Madhu Gottumukkala. “Operational disruptions create strain and uncertainty, give our adversaries unnecessary advantages, and forces our frontline cybersecurity experts to carry out critical work without pay. Based on collaboration with international partners and CISA’s forensic analysis, the ease with which these vulnerabilities can be exploited demands immediate action from all federal agencies. We urge all entities to implement the measures outlined in this Emergency Directive without delay. CISA leadership and all (excepted) staff remain committed to fulfilling our mission while protecting the American people.”
In response to this threat, CISA released an Alert along with joint guidance, Cisco SD-WAN Threat Hunt Guide, based on investigative data, to support network defenders’ detection of and response to the malicious actors’ threat activity. Authoring agencies include:
- United States National Security Agency (NSA)
- United States Cybersecurity and Infrastructure Security Agency (CISA)
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- Canadian Centre for Cyber Security (Cyber Centre)
- New Zealand National Cyber Security Centre (NCSC-NZ)
- United Kingdom National Cyber Security Centre (NCSC-UK)
CISA and the authoring organizations strongly urge network defenders to immediately:
1) Inventory: all in-scope Cisco SD-WAN systems.
2) Collect artifacts: including virtual snapshots and logs of SD-WAN systems.
3) Patch: Cisco SD-WAN systems, including for CVE-2026-20127 and CVE-2022-20775.
4) Hunt: for evidence of compromise.
5) Implement: as outlined in Cisco’s Catalyst SD-WAN Hardening Guide and review their blog.
As agencies implement these requirements, CISA will monitor compliance, provide technical assistance, and deliver additional resources as needed. This directive underscores CISA’s commitment to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian networks.
For required actions and implementation details, review Emergency Directive 26-03 on https://www.cisa.gov/news-events/directives.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.