The Rogue Peer Threat: CISA Issues Emergency Directive to Thwart Global Cisco SD-WAN Hijacking

The offensives targeting Cisco networking infrastructure have reached such a critical magnitude that United States authorities have invoked an extraordinary regulatory protocol. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive, mandating immediate compliance from all civilian federal agencies.

This mandate is predicated upon American statutory provisions that empower the Department of Homeland Security to demand instantaneous remedial action from agencies in the face of an imminent threat. This executive authority is delegated to the Director of CISA, and federal entities are legally compelled to execute such prescriptions, with the exception of national security systems and the clandestine networks of military and intelligence organs.

In the directive, CISA explicitly delineates the persistent exploitation of vulnerabilities within Cisco Catalyst SD-WAN Manager and Cisco Catalyst SD-WAN Controller. Specifically, the agency highlights CVE-2026-20127, which facilitates the remote circumvention of authentication to secure administrative privileges, and CVE-2022-20775, enabling adversaries to escalate privileges to root status and execute arbitrary commands.

The agency has dictated a rigorous, sequential protocol: identify all afflicted systems, harvest technical artifacts and logs, audit them for indicators of compromise, and implement requisite patches by February 27, 2026. Agencies must furnish progress reports in multiple stages through mid-March. Should a root-level account compromise be detected, the directive ordains immediate notification to CISA and the deployment of fresh management instances from fortified, sanitized images.

Concurrently, the National Cyber Security Centre (NCSC) of the United Kingdom has disseminated a warning. A collaborative communique—authored alongside partners from Canada, New Zealand, and the United States—reveals that global adversaries are infiltrating Cisco Catalyst SD-WAN environments by introducing a spurious node into the infrastructure. This “imposter” participant gains the capacity to perform trusted operations, attain root access, and maintain long-term persistence within the system.

The Australian Signals Directorate has also joined this unified front, publishing a technical manual to assist organizations in discerning whether their infrastructure has been breached. The documentation suggests that at least one sophisticated actor has been exploiting a zero-day vulnerability within Cisco SD-WAN environments since 2023. This defect remained clandestine until its discovery in late 2025 and has since been remediated.

Authorities urge organizations to meticulously inspect their networks for signs of intrusion, install the latest software iterations, and adhere to fortified security recommendations. The communique emphasizes that SD-WAN management interfaces must remain sequestered from the public internet, as such exposed configurations reside within the zone of maximum peril. While the specific syndicates orchestrating these strikes remain unnamed, the gravity of the threat is undeniable.