Date: 26 February 2026
Severity: CRITICAL
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-03, requiring immediate action to address active exploitation of critical vulnerabilities in Cisco Catalyst SD-WAN systems. This is not a theoretical risk. Cybersecurity agencies from the Five Eyes intelligence alliance have urgently warned that an advanced threat actor is actively exploiting new flaws in Cisco networking equipment and are pressing organisations to look for signs their systems may already be compromised.
Critically for Australian and New Zealand organisations, this alert was co-authored with direct involvement from our own regional agencies. Australia's Signals Directorate Australian Cyber Security Centre (ASD's ACSC), the New Zealand National Cyber Security Centre (NCSC-NZ), the NSA, the Canadian Centre for Cyber Security, and the UK's NCSC all contributed to the joint guidance.
Two CVEs are at the centre of this threat:
A newly disclosed authentication-bypass flaw and an older privilege-escalation flaw are being used in tandem to breach and maintain long-term persistence on affected devices. The six newly disclosed vulnerabilities carry severity ratings of "critical," while the older flaw is rated high severity.
Specifically: CVE-2026-20127 is a flaw in the peering authentication mechanism of the Cisco Catalyst SD-WAN Controller. A successful exploit allows an attacker to log in as a high-privileged internal user, access NETCONF, and manipulate network configuration across the entire SD-WAN fabric. CVE-2022-20775 is being chained with it to escalate privileges to root and maintain persistent control.
According to the ASD's ACSC hunt guide, at least one malicious actor has been compromising Cisco SD-WAN environments since 2023 using a zero-day vulnerability that was only identified late last year. That means some environments may have been silently compromised for over two years.
The directive covers Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) regardless of configuration, and Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart).
The Insicon Cyber Adaptive SOC team recommends all Australian and New Zealand organisations running Cisco SD-WAN infrastructure take the following steps immediately, in order:
1. Inventory your systems. Identify all Cisco Catalyst SD-WAN Manager and Controller instances across your environment, including those hosted by third parties on your behalf.
2. Collect forensic artefacts before patching. CISA's hunt and hardening guidance instructs organisations to collect forensic artefacts including admin core dumps and user home directories, and to ensure logs are stored externally to prevent tampering.
3. Apply patches immediately. Cisco strongly recommends upgrading to a fixed software release as the only way to fully remediate CVE-2026-20127. Do not delay this step.
4. Hunt for signs of compromise. Indicators of compromise include the creation and deletion of malicious user accounts, unexpected root logins, unauthorised SSH keys, changes that enable PermitRootLogin, unusually small or missing log files suggesting tampering, and software downgrades or unexpected reboots.
5. Harden your SD-WAN environment. Cisco's hardening guidance recommends placing control components behind a firewall, isolating VPN 512 interfaces, replacing self-signed certificates, and using pairwise keys for control and data plane security.
6. If root compromise is confirmed, do not attempt remediation of the existing instance. Agencies and organisations should deploy fresh vManage, vSmart, and vBond instances from patched images and migrate edges to the new infrastructure.
This joint guidance carries particular weight for Australian and New Zealand organisations. The ASD's ACSC was credited by Cisco as the agency that originally reported CVE-2026-20127, and NCSC-NZ co-sealed the Cisco SD-WAN Threat Hunt Guide. Both agencies are urging local organisations to act with the same urgency as their US and UK counterparts. While CISA's Emergency Directive is formally directed at US federal agencies, the threat is global and the exploits are being used against organisations worldwide.
Australian organisations operating under the SOCI Act, APRA CPS 234, or the Essential Eight Maturity Model should treat this as a priority incident response trigger. New Zealand organisations governed by the NZ Information Security Manual (NZISM) and GCSB guidance should do the same.
Insicon Cyber's adaptive SOC team is actively working with impacted clients and is monitoring this threat. If you are running Cisco SD-WAN infrastructure and are unsure of your exposure, contact us immediately. We can assist with threat hunting, artefact collection, patch validation, and hardening guidance tailored to your environment across Australia and New Zealand.