Five Eyes Issue Coordinated Warning on Active Exploitation of Cisco SD-WAN Infrastructure

Threat Summary

Category: International Cybersecurity Alert
Features: Active exploitation, zero-day abuse, rogue control-plane device injection, root persistence
Delivery Method: Authentication bypass, control-plane compromise, management plane infiltration
Threat Actor: Advanced threat actor (unattributed), ongoing activity since 2023

---

Five Eyes intelligence partners — the United States, United Kingdom, Australia, Canada, and New Zealand — have issued a coordinated operational warning confirming that Cisco Catalyst SD-WAN infrastructure is being actively exploited by an advanced threat actor in ongoing intrusion campaigns.

This is not a single-agency advisory. It is a synchronized intelligence posture across the Western alliance’s primary cyber authorities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) invoked emergency directive authority under 44 U.S.C. § 3553(h), formally declaring that the exploitation presents an “unacceptable risk” to Federal Civilian Executive Branch networks. Emergency directives are reserved for circumstances where active threat conditions are confirmed and immediate federal mitigation is required.

Simultaneously, the United Kingdom’s National Cyber Security Centre (NCSC) warned that malicious cyber actors are targeting Cisco Catalyst Software Defined Wide Area Networks globally. The language from allied partners makes clear that this activity is not confined to U.S. federal infrastructure. Organizations across multiple jurisdictions are exposed.

Australia’s Signals Directorate reinforced the warning with a technical hunt guide detailing how threat actors have embedded rogue devices into SD-WAN management and control planes, enabling trusted internal actions and long-term persistence.

The affected infrastructure is not peripheral networking equipment. Cisco SD-WAN controllers and managers operate at the orchestration layer — the control plane responsible for routing trust relationships, policy enforcement, encrypted tunnel governance, and branch network command authority. Compromise at this level extends across entire enterprise fabrics.

Two vulnerabilities central to the exploitation activity are:

CVE-2026-20127 — Authentication bypass enabling unauthenticated remote administrative access.

CVE-2022-20775 — Path traversal enabling privilege escalation to root and arbitrary command execution.

Cisco has confirmed that these vulnerabilities are independently exploitable. Chaining is not required. Either flaw can grant an attacker significant operational control depending on deployment exposure.

This warning reflects confirmed exploitation, not theoretical risk.

---

Core Narrative

This is not a routine vulnerability bulletin. It is a coordinated allied intelligence warning.

CISA’s emergency directive followed evidence of ongoing exploitation of Cisco SD-WAN management and controller infrastructure. The British NCSC publicly confirmed the activity extends beyond U.S. federal networks and is affecting organizations internationally.

Australia’s Signals Directorate released a detailed technical hunt guide, revealing that at least one threat actor has been exploiting Cisco SD-WAN environments since 2023, initially leveraging a zero-day vulnerability that was only identified and patched late last year.

According to the hunt guide, attackers were able to create a rogue peer device injected directly into an organization’s SD-WAN management or control plane. The rogue device appeared as a legitimate SD-WAN component, enabling it to perform trusted network orchestration actions.

That access is strategic.

Once embedded within the management plane, an attacker can:

• Modify routing configurations
• Push malicious policy updates
• Intercept traffic
• Exfiltrate data
• Deploy follow-on implants
• Establish durable persistence

The hunt documentation further describes root-level privilege acquisition and anti-forensic behavior, including tampering with logs and disabling monitoring visibility.

This is not opportunistic scanning. It reflects deliberate, long-term control-plane infiltration.

---

Infrastructure at Risk

Cisco Catalyst SD-WAN platforms manage distributed enterprise networking across:

• Government agencies
• Defense contractors
• Telecommunications providers
• Critical infrastructure operators
• Large multinational enterprises

The management plane governs trust relationships across branch nodes, cloud interconnects, and encrypted tunnels.

Compromise of vManage or vSmart systems collapses segmentation boundaries.

This elevates exposure from device-level compromise to network-wide orchestration compromise.

---

Policy / Allied Pressure

The synchronized advisory from Five Eyes members reflects elevated strategic concern.

CISA invoked emergency directive authority under 44 U.S.C. § 3553(h). Federal agencies must inventory, collect forensic artifacts, patch, hunt for compromise, and report status under strict deadlines.

The NCSC and Australian Signals Directorate have urged organizations to actively investigate for evidence of compromise rather than assume patching alone resolves risk.

This shifts the posture from vulnerability management to breach investigation.

---

Vendor Defense / Reliance

Cisco issued advisories acknowledging multiple vulnerabilities in affected SD-WAN products.

Cisco confirmed exploitation pathways can allow attackers to:

• Bypass authentication
• Elevate privileges to root
• Access sensitive configuration data
• Overwrite arbitrary files

Cisco’s statement emphasizes that vulnerabilities are independent and do not require chaining.

Patch application is necessary but insufficient if compromise has already occurred.

Agencies are being directed to collect forensic images and logs before remediation to preserve evidence of intrusion.

---

Exploit Prerequisites

CVE-2026-20127:
Pre-auth remote exploitation. No credentials required.

CVE-2022-20775:
Authenticated local access required, but high impact when combined with control-plane compromise.

Exposure risk increases when:

• SD-WAN management interfaces are internet-facing
• Logging is not externally stored
• Segmentation between control plane and enterprise infrastructure is weak

---

Forecast — 30 Days

• Increased scanning against exposed SD-WAN interfaces
• Copycat actor exploitation attempts
• Expansion of indicators of compromise released by allied agencies
• Potential public attribution if intelligence assessment solidifies
• Secondary exploitation campaigns leveraging rogue SD-WAN peers

---

TRJ Verdict

When all Five Eyes partners align publicly on active exploitation of networking control infrastructure, the threat is strategic — not tactical.

SD-WAN management layers function as trust anchors across distributed networks. Injection of a rogue control-plane device grants attackers trusted authority inside encrypted ecosystems.

This is not endpoint compromise.

This is orchestration compromise.

Organizations using Cisco SD-WAN must assume exposure until proven otherwise through forensic validation.

The directive is not advisory language. It is a warning of sustained operational intrusion activity.

---

---

---

---

---

---

---

---

🔥 NOW AVAILABLE! 🔥

‎👉 Eclipsera – Apple Music

---

---

---

---

---