CISA Adds Two Cisco SD-WAN Vulnerabilities to Known Exploited Vulnerabilities (KEV) Catalog

Threat Summary

Category: Federal Cybersecurity Advisory
Features: Active exploitation confirmed, KEV catalog inclusion, mandatory federal remediation deadlines
Delivery Method: Authentication bypass and path traversal exploitation
Threat Actor: Unattributed threat actors exploiting exposed Cisco SD-WAN infrastructure

---

CISA Action: Added to Known Exploited Vulnerabilities (KEV) Catalog
Affected Systems: Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage)
CVEs:

• CVE-2022-20775 — Path Traversal (Authenticated → Root-level execution)
• CVE-2026-20127 — Authentication Bypass (Pre-auth → Administrative access)
  Federal Directive: Binding Operational Directive (BOD) 22-01
  Compliance Impact: Mandatory remediation for Federal Civilian Executive Branch (FCEB) agencies

CISA has formally added two Cisco SD-WAN vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog following confirmed evidence of active exploitation. Inclusion in the KEV catalog signals that exploitation is not theoretical — it is operational.

The vulnerabilities affect Cisco Catalyst SD-WAN management and controller infrastructure, components that sit at the orchestration layer of enterprise networks.

---

Core Narrative

The Known Exploited Vulnerabilities Catalog functions as a prioritized federal risk index. When a CVE is added, it means CISA has verified active exploitation or credible exploitation intelligence. Under Binding Operational Directive 22-01, FCEB agencies are required to remediate KEV-listed vulnerabilities by mandated deadlines.

The two vulnerabilities now listed both affect Cisco’s SD-WAN ecosystem:

CVE-2026-20127 allows an unauthenticated remote attacker to bypass authentication controls and gain administrative access to affected systems. This is a pre-auth condition, meaning no credentials are required to initiate compromise.

CVE-2022-20775 enables authenticated local attackers to exploit a path traversal flaw, escalate privileges, and execute arbitrary commands as root.

When combined, these vulnerabilities create a full compromise chain:

Remote access → Authentication bypass → Privilege escalation → Root-level control → Network manipulation.

Cisco SD-WAN infrastructure is not an edge appliance. It is a control plane. Compromise here extends across managed branch devices, policy engines, and encrypted tunnel orchestration.

CISA’s addition of these CVEs to the KEV catalog indicates threat actors are targeting exposed or insufficiently segmented SD-WAN deployments.

---

Infrastructure at Risk

Cisco Catalyst SD-WAN systems manage:

• Secure routing between distributed agency sites
• Policy enforcement across WAN segments
• Cloud-to-on-prem connectivity
• Edge device provisioning

If an attacker gains control of vManage or vSmart instances, they can:

• Push malicious configuration changes
• Redirect traffic
• Intercept or reroute encrypted flows
• Deploy secondary payloads
• Establish persistent access across managed nodes

This shifts risk from a single device vulnerability to enterprise-wide network exposure.

---

Policy / Federal Mandate

Binding Operational Directive 22-01 requires FCEB agencies to remediate KEV-listed vulnerabilities within CISA-defined timeframes. Agencies must report compliance status and remediation confirmation.

Although BOD 22-01 does not legally bind private sector organizations, CISA explicitly urges all entities to prioritize KEV catalog vulnerabilities as part of vulnerability management strategy.

The KEV catalog functions as a federal early-warning system. When a vulnerability appears here, it is no longer optional to treat it as urgent.

---

Vendor Defense / Remediation

Cisco has released patches addressing both vulnerabilities. Organizations should:

• Verify version exposure
• Patch management and controller instances
• Restrict management interface exposure
• Ensure segmentation of SD-WAN control plane systems
• Review logging and administrative access history

Pre-auth vulnerabilities carry elevated risk when internet-facing.

---

Exploit Prerequisites

CVE-2026-20127:
Pre-auth remote exploitation possible. No credentials required.

CVE-2022-20775:
Authenticated local access required. Elevated impact if chained with bypass flaw.

Risk increases when SD-WAN systems are:

• Internet accessible
• Weakly segmented
• Logging disabled or retained locally only

---

Forecast — 30 Days

• Increased automated scanning for Cisco SD-WAN endpoints
• Potential exploit kit packaging of CVE-2026-20127
• Targeted campaigns against government and infrastructure entities
• Broader KEV additions if related SD-WAN vulnerabilities emerge
• Secondary pivot exploitation following initial access

---

TRJ Verdict

When CISA adds a vulnerability to the KEV catalog, the message is direct: exploitation is active and federal exposure is credible.

SD-WAN control infrastructure represents high-value operational territory. Authentication bypass vulnerabilities in orchestration layers collapse trust boundaries across entire network segments.

Organizations outside federal scope should treat KEV inclusion as a priority escalation indicator.

---

---

---

---

---

---

---

---

🔥 NOW AVAILABLE! 🔥

‎👉 Eclipsera – Apple Music

---

---

---

---

---