CISA Emergency Directive 26-03: The Cisco SD-WAN Takeover
Breakdown of the CISA Emergency Directive targeting Cisco SD-WAN systems, the auth bypass and path traversal chain driving it, and what network operators need to do right now.
Executive Summary
On February 25, 2026, CISA issued Emergency Directive 26-03 ordering all Federal Civilian Executive Branch agencies to inventory Cisco SD-WAN systems, patch against a cluster of actively exploited vulnerabilities, and hunt for compromise. The directive centers on two primary CVEs: an authentication bypass in the SD-WAN peering plane and a path traversal in the management CLI, supported by a broader set of related flaws disclosed through April and May 2026.
This is not a theoretical advisory. CISA explicitly states it is aware of an ongoing threat actor campaign against these systems. The affected products are the backbone of enterprise WAN fabric for a significant portion of the U.S. government and Fortune 500 networks.
Affected Products
- Cisco Catalyst SD-WAN Manager (formerly vManage)
- Cisco Catalyst SD-WAN Controller (formerly vSmart)
- Cisco Catalyst SD-WAN Validator (formerly vBond)
- Cisco SD-WAN Edge routers running affected software versions
The Vulnerability Cluster
Primary: CVE-2026-20127
Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass
The peering authentication mechanism between SD-WAN controllers is not enforcing mutual authentication correctly. An unauthenticated remote attacker can send crafted requests to an affected system, bypass authentication entirely, and log in as an internal, high-privileged non-root user account. From there, the attacker gains NETCONF access and can manipulate the SD-WAN fabric configuration. That means adding malicious controllers, rerouting traffic, or exfiltrating tunnel keys.
CVE-2022-20775
Cisco SD-WAN CLI Path Traversal
An authenticated local attacker can abuse improper access controls within the application CLI to execute arbitrary commands as root. In a post-exploitation chain, this turns a low-privilege foothold into full system compromise.
Secondary: The April-May 2026 Batch
- CVE-2026-20182: Authentication bypass in Catalyst SD-WAN Controller & Manager allowing unauthenticated remote attackers to obtain administrative privileges.
- CVE-2026-20122: Incorrect use of privileged APIs in SD-WAN Manager. An attacker uploads a malicious file via the API interface to overwrite arbitrary files and gain
vmanageuser privileges. - CVE-2026-20133: Exposure of sensitive information in SD-WAN Manager, allowing remote attackers to view sensitive data on affected systems.
- CVE-2026-20128: Passwords stored in a recoverable format, allowing an authenticated local attacker to retrieve DCA user credentials from the filesystem.
Attack Chain
The exploitation pattern observed in the wild follows this progression:
- Initial Access: The attacker targets an internet-exposed SD-WAN Manager or Controller management interface.
- Authentication Bypass: CVE-2026-20127 (or CVE-2026-20182) is used to bypass the login flow and obtain an internal privileged session.
- Fabric Manipulation: Via NETCONF or the web UI, the attacker adds a rogue controller to the fabric or modifies control policies.
- Persistence: New certificates and tunnel configurations are pushed to edge devices, establishing persistent covert channels.
- Privilege Escalation: If CLI access is obtained, CVE-2022-20775 or CVE-2026-20122 provides root-level code execution for backdoor installation.
Network Telemetry & IOCs
Monitor your WAN edge and management networks for:
- Unexpected NETCONF sessions from non-management IP ranges to SD-WAN Controllers
- Certificate or control-policy changes outside of approved change windows
- New vSmart/vManage peers appearing in the overlay control plane
- Abnormal
crypto pkiorrequest platform softwareCLI operations on edge routers - File uploads to
/uploads/or API endpoints on SD-WAN Manager without matching admin sessions
# On SD-WAN Manager: check for unknown controller peerings
show control connections
show omp peers
# On edge routers: check for unexpected tunnel endpoints
show sdwan control connections
show ip nhrpEnterprise Response
Immediate Actions
- Inventory: Identify every instance of Catalyst SD-WAN Manager, Controller, and Validator in your environment. Do not assume they are all internal-only.
- Restrict Access: Place all SD-WAN management interfaces behind a jump host or dedicated management VPN. Remove internet exposure immediately.
- Hunt: Follow CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices” (linked below). Check for unauthorized peerings, policy changes, and certificate anomalies.
Patching
Cisco has released patched software tracks. Upgrade to the following minimum versions or later:
- Catalyst SD-WAN Manager: 20.15.1 or later
- Catalyst SD-WAN Controller: 20.15.1 or later
- SD-WAN Edge / IOS-XE: 17.15.1a or later
# Example upgrade path for SD-WAN Manager (vManage)
request nms configuration-db upgrade
request nms all status
# Verify control plane after upgrade
show control connections history
show omp peersPost-Compromise Cleanup
If indicators of compromise are found:
- Isolate the affected Manager/Controller from the fabric.
- Audit all OMP routes, TLOCs, and control policies for unauthorized entries.
- Re-issue PKI certificates for the entire fabric segment.
- Re-image compromised Manager/Controller appliances rather than attempting in-place cleanup.
- Re-onboard edge devices with fresh certificates and bootstrap configs.
Timeline
| Date | Event |
|---|---|
| 2023-10-16 | CVE-2022-20775 originally disclosed |
| 2026-02-25 | CISA issues Emergency Directive 26-03 for CVE-2026-20127 and CVE-2022-20775 |
| 2026-03-19 | CVE-2026-20131 disclosed (Secure FMC deserialization RCE, related campaign) |
| 2026-04-20 | Cisco discloses CVE-2026-20122, CVE-2026-20133, CVE-2026-20128 |
| 2026-05-14 | CVE-2026-20182 added to KEV catalog; CISA shortens due dates |