CISA orders two‑day patching after Cisco SD‑WAN zero‑day can yield root access

The US Cybersecurity and Infrastructure Security Agency has added a zero‑day and an older path‑traversal bug in Cisco products to its Known Exploited Vulnerabilities catalog and issued Emergency Directive 26‑03, ordering federal civilian executive branch agencies to remediate both flaws within two days. Agencies were given a deadline of 5 p.m. ET on February 27, 2026 after Cisco released fixes in late February and then published separate PSIRT advisories on March 4 addressing Secure Firewall Management Center products.

The zero‑day, tracked as CVE‑2026‑20127 and assigned a CVSS score of 10, targets peering authentication in Cisco Catalyst SD‑WAN Controller and Manager and can allow an unauthenticated attacker to gain administrative access and reconfigure networks via NETCONF, according to security bulletins. The older vulnerability, CVE‑2022‑20775, disclosed in September 2022, is a “high‑severity path traversal issue that allows an authenticated attacker to execute arbitrary commands with root privileges.” Together security agencies say the two flaws have been chained to bypass authentication and establish persistent root access on SD‑WAN equipment.

Cisco released patches for the SD‑WAN flaws on February 25, 2026, and separately its Product Security Incident Response Team published advisories on March 4 about two maximum‑severity vulnerabilities affecting Secure Firewall Management Center and related policy management products. Cisco has warned of “limited exploitation” of the SD‑WAN zero‑day in the wild, while Five Eyes partners and Cisco Talos report active adversary use dating back to at least 2023 in some cases. Darkreading reported the zero‑day had been exploited for at least three years.

Cisco Talos attributes the SD‑WAN campaign to a group it labels UAT‑8616, calling it “a highly sophisticated cyber threat actor” active since at least 2023. Talos and Five Eyes describe a distinct operational pattern in observed intrusions: an attacker first adds an administrative account, then downgrades device software to a version vulnerable to CVE‑2022‑20775, exploits the legacy bug to escalate to root, and reinstates the original software while retaining root persistence. Talos warned that this behavior reflects a broader trend of targeting network edge devices to secure long‑term footholds in critical organizations.

Government and industry guidance emphasizes rapid remediation and aggressive hunting for indicators of compromise. The Five Eyes threat hunting notes and other advisories list observable signs including rogue peers, unauthorized version changes and downgrades, newly created administrative accounts, and unexpected system reboots. Some reporting and prior Cisco guidance also urged operators to lock down management access and restrict connectivity to trusted networks until fixes are applied. Security briefings note there are no practical workarounds for either CVE.

The intersection of an exploitable CVSS 10 zero‑day, a chained local privilege escalation, and a federal emergency directive raises immediate operational and economic stakes for organizations that run Cisco SD‑WAN or Secure Firewall Management Center. Network operators face compressed timelines for testing and deployment that can force emergency maintenance windows, potential service disruptions, and one‑off consulting or staff overtime costs. Regulators and procurement officers may also press for verification and audits, increasing near‑term security spending.

The incidents add to a string of recent Cisco zero‑day events and underscore a longer trend: attackers increasingly focus on edge networking gear to reach high‑value targets. For enterprise risk managers and infrastructure operators, the obligation is clear—apply vendor fixes, hunt for the named indicators, and assume that persistent access may already exist unless validated otherwise.