Cisco Catalyst SD-WAN Exploited: What Businesses Should Know

The UK National Cyber Security Centre has issued a fresh warning about the active exploitation of Cisco Catalyst SD-WAN systems, making this a live and serious issue for organisations using affected Cisco infrastructure.

The warning is not based on a theoretical weakness or a routine patch cycle. It relates to a vulnerability that is already being exploited in the wild.

For businesses that rely on SD-WAN to connect sites, route traffic, and support critical services, this matters for one simple reason:

This blog explains what is happening, why the risk is bigger than a single Cisco advisory, and what organisations should do now.

What has happened?

Cisco Talos says threat actors are actively exploiting CVE-2026-20127, a critical vulnerability in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager.

The flaw allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on an affected system by sending a crafted request.

Cisco Talos has clustered the activity as UAT-8616 and says it found evidence that the malicious activity may date back to 2023, which means this may not be a short-lived opportunistic campaign. It may reflect a longer-running effort to target network edge devices and maintain access over time.

Cisco’s own advisory and multiple security sources state that successful exploitation gives the attacker access as an internal, high-privileged, non-root account.

From there, they may be able to manipulate SD-WAN fabric configuration and, depending on the environment, move towards broader compromise.

Why this matters beyond Cisco

This is not just a “Cisco problem”. It is another reminder that network edge infrastructure remains a prime target.

Attackers continue to focus on:

• SD-WAN controllers

• firewalls

• VPN concentrators

• internet-facing management interfaces

• branch and edge infrastructure

  
  

These systems are attractive because they are highly trusted, often internet-reachable, and sometimes monitored less rigorously than endpoints or cloud identities.

Cisco Talos explicitly notes that this activity reflects a continuing trend of threat actors targeting network edge devices to establish persistent footholds into high-value organisations, including critical infrastructure sectors.

That broader lesson is the real story here. If your security posture is strong on endpoints but weak at the network edge, your controls may be more fragile than they look.

What could an attacker do after compromise?

Once an attacker gains privileged access to a Cisco Catalyst SD-WAN control system, the risk is not limited to that one appliance.

Based on current advisories and security analysis, the potential impact includes:

1. Manipulating network configuration

   Attackers may be able to alter SD-WAN fabric settings and traffic behaviour.

2. Establishing persistence

   Security reporting suggests attackers may use the initial access to maintain longer-term presence in the environment. Cisco Talos notes intelligence suggesting escalation to root through version downgrade activity.

3. Creating rogue trust relationships

   The New Zealand NCSC warns that exploitation may allow attackers to add a rogue peer, which can help them blend into the environment and remain connected.

4. Using the edge as a stepping stone

   A compromised controller can become a launch point for wider network access, reconnaissance, and potential follow-on attacks.

This is why organisations should treat this as a potential environment-level incident, not just a patching task.

Why this threat deserves urgent attention

Several signals make this more urgent than a standard vendor advisory:

• The NCSC has warned publicly

  The UK government’s cyber authority is flagging this as active exploitation.

• Cisco Talos has confirmed in-the-wild activity

  This is not hypothetical. Cisco’s threat intelligence team says the exploitation is live.

• CISA has issued Emergency Directive 26-03

  The US cyber agency is requiring federal agencies to act quickly, which is a strong signal of seriousness and urgency.

• The vulnerability is critical

  Security reporting widely describes CVE-2026-20127 as a maximum-severity issue, with a CVSS score of 10.0.

When multiple national agencies and vendor intelligence teams are aligned this clearly, boards and technology leaders should assume rapid action is warranted.

What organisations should do now

If your organisation uses Cisco Catalyst SD-WAN, or if a critical supplier does, the immediate response should go beyond “apply patches when convenient”.

1. Identify exposure quickly

   Confirm whether you use affected Cisco Catalyst SD-WAN Controller or Cisco Catalyst SD-WAN Manager systems. Do not rely on assumptions or outdated inventories. Validate against live asset records.

2. Patch as a priority

   Cisco has released fixed versions and emergency guidance. If you have not applied the necessary updates, this should be treated as urgent.

3. Investigate for signs of compromise

   This is especially important because the exploitation is already active. Rapid7 and Cisco Talos both point to the need for defenders to look for control connection peering events and manually validate whether they are legitimate. Unexpected times, unfamiliar IP addresses, or unusual peer relationships should be treated seriously.

4. Restrict management access

   If management interfaces are exposed more broadly than necessary, reduce access immediately. Review trusted IPs, segmentation, and administrative access pathways.

5. Preserve logs and evidence

   CISA’s emergency direction highlights the importance of collecting and storing logs externally. If compromise is suspected, preserve evidence before making changes that could erase your trail.

6. Review wider edge security

   Use this incident as a trigger to review other internet-facing network infrastructure. Attackers rarely stop at one product category.

If your team needs support handling that assessment or responding to suspected compromise, STORM’s investigation and response services are built for exactly this kind of situation.

What boards and leadership teams should ask today

Technical teams may already be working the issue, but leadership should still ask direct questions:

• Do we use the affected Cisco SD-WAN systems, directly or through suppliers?

• Have the patches been applied, and has that been independently confirmed?

• Are we checking for evidence of prior compromise, not just patching forward?

• Do we have the logs needed to prove whether exploitation occurred?

• If a critical edge system is compromised, who leads the response and what is the first-hour plan?

The right response here is not just technical. It is operational. The question is not only whether you can patch, but whether you can detect, investigate, and recover if the patch came too late.

The bigger lesson: edge infrastructure needs the same rigour as endpoints

Many organisations have matured their endpoint and cloud controls, but edge infrastructure still lags behind in:

• visibility

• logging

• response readiness

• exercising

• executive oversight

  
  

This Cisco issue reinforces a simple but important point: your network edge is part of your cyber resilience perimeter.

It should be treated with the same seriousness as identity, endpoints, and critical SaaS platforms.

For many organisations, this is the right moment to review whether their current controls reflect the real threat landscape, not just the easiest assets to manage.

For broader strategic support, STORM’s products and services page outlines how we help organisations strengthen resilience across response, recovery, risk, and readiness.

Final thought

Cisco Catalyst SD-WAN may be the immediate headline, but the real lesson is broader.

Attackers continue to target trusted infrastructure at the edge of the network because that is often where visibility is weakest and impact is greatest.

Patch quickly, investigate properly, preserve your evidence, and treat this as a reminder that resilience depends on more than just keeping laptops secure.

Do not treat this as just another patching alert.

If you need help assessing exposure, investigating signs of compromise, or strengthening your incident response around critical edge infrastructure, we can help.

Explore STORM services – https://www.stormguidance.com/products-and-services