A newly issued emergency directive from the US Cybersecurity and Infrastructure Security Agency warns that attackers are actively exploiting vulnerabilities in Cisco Catalyst SD-WAN infrastructure used across US federal networks. The directive, known as Emergency Directive 26-03, orders federal agencies to urgently identify affected systems, collect forensic evidence, apply security updates and investigate potential compromises.
The warning centres on a flaw tracked as CVE-2026-20127, described as a critical authentication bypass with a CVSS score of 10, which could allow an unauthenticated attacker to obtain administrative access to SD-WAN infrastructure. Such access could enable threat actors to manipulate network configurations or disrupt traffic across government systems, with the affected technology widely used to manage distributed enterprise networks.
Agencies must perform a sequence of actions, including submitting an inventory to CISA, configuring devices to store logs externally, applying vendor updates, and hunting for evidence of compromise, with remediation reporting due by multiple deadlines through 23 March 2026. According to ProCircular, the directive’s emphasis on artifact collection and centralised logging suggests investigators are seeking to determine how widely the vulnerabilities may have been exploited.