An official website of the United States government
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Feb. 26, 2026

NSA Joins ASD’s ACSC and Others to Release a Cybersecurity Alert and Related Hunt Guide on Cisco SD-WAN Systems

FORT MEADE, Md. – The National Security Agency (NSA), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), and other agencies have issued the Cybersecurity Alert "Exploitation of Cisco SD-WAN Appliances," and a corresponding, "Cisco SD-WAN Threat Hunt Guide."

The alert warns of malicious cyber actors targeting Cisco Catalyst Software Defined Wide Area Network (SD-WAN) systems used globally. The Hunt Guide details the tactics, techniques, and procedures (TTPs) used by the actors, and helps organizations identify and investigate potential compromise of their Cisco Catalyst SD-WAN systems.

For over a year, malicious actors exploited vulnerabilities in Cisco SD-WANs. Most notably, by leveraging a previously unknown (zero-day) vulnerability, CVE-2026-20127, these actors introduced a malicious rogue peer, gained authenticated access, and established persistent, long-term presence within the compromised SD-WAN networks.

Cybersecurity professionals and network administrators are strongly advised to take immediate action to ensure all Cisco Catalyst SD-WAN devices are fully patched to the appropriate Fixed Release version. They are also advised to hunt for evidence of compromise, as described in the Hunt Guide, and apply Cisco’s SD-WAN hardening guidance to reduce risks. Patching, executing the Hunt Guide, and reviewing the SD-WAN hardening guidance in full is crucial for high-confidence network security.

Co-sealing this Cybersecurity Alert and Hunt Guide are the National Security Agency (NSA); Cybersecurity and Infrastructure Security Agency (CISA); Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC); Canadian Centre for Cyber Security (Cyber Centre); New Zealand’s National Cyber Security Centre (NCSC-NZ); and United Kingdom’s National Cyber Security Centre (NCSC-UK).

Read the full reports.
Exploitation of Cisco SD-WAN Appliances
Cisco SD-WAN Threat Hunt Guide
Cisco Security Advisory - Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
Cisco Security Advisory - Cisco Catalyst SD-WAN Vulnerabilities

Visit our full library for more cybersecurity information and technical guidance.
NSA Media Relations
MediaRelations@nsa.gov
443-634-0721
cybersecurity csa Hunt Guide Cisco Cisco SD-WAN exploitation Alert network defenders
Hosted by Department of War Information Activity - WEB.mil Veterans Crisis Line number. Dial 988 then Press 1