Report a cybercrime, cyber security incident or vulnerability.
Report

What are you looking for?

You can search for keywords to find pages that can help you e.g. scam
First published: 26 Feb 2026
Last updated: 26 Feb 2026

Content written for

Large organisations & infrastructure
Government

Attachments

Malicious cyber threat actors are targeting SD-WANs of organisations, globally. The purpose of this Alert is to provide mitigations for the ongoing exploitation of Cisco Software-Defined Wide Area Network (SD-WAN) technology, including via CVE-2026-20127.

Background

Malicious cyber threat actors are targeting SD-WANs of organisations, globally. These actors exploited a Cisco Catalyst SD-WAN controller authentication bypass vulnerability, CVE-2026-20127. After exploitation of this vulnerability the malicious actors add a rogue peer, and eventually gain root access to establish long-term persistence in SD-WANs.

The following agencies, hereafter referred to as the authoring organizations, released a Cisco SD-WAN Threat Hunt Guide (the “Hunt Guide”), based on investigative data, to support network defenders’ detection of and response to the malicious actors’ threat activity:

The Hunt Guide is being released by the following authoring and co-sealing agencies:

  • United States National Security Agency (NSA)
  • United States Cybersecurity and Infrastructure Security Agency (CISA)
  • Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
  • Canadian Centre for Cyber Security (Cyber Centre)
  • New Zealand National Cyber Security Centre (NCSC-NZ)
  • United Kingdom National Cyber Security Centre (NCSC-UK)

Mitigation advice

The authoring organisations strongly urge network defenders to:

  1. Collect artefacts, including virtual snapshots and logs off of SD-WAN technology;
  2. Review Cisco’s advisories Cisco Catalyst SD-WAN Vulnerabilities and Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability and fully patch SD-WAN technology, including for CVE-2026-20127;
  3. Hunt for evidence of compromise as detailed in the Hunt Guide;
  4. Implement Cisco Catalyst SD-WAN Hardening Guide.

Cisco’s Catalyst SD-WAN hardening guidance should be reviewed in full and includes advice on the following:

  • Network perimeter controls: Ensure control components are behind a firewall, isolate VPN 512 interfaces, and use IP blocks for manually provisioned edge IPs.
  • SD-WAN manager access: Replace the self-signed certificate for the web user interface
  • Control and data plane security: Use pairwise keying
  • Session timeout: Limit to the shortest period possible
  • Logging: Forward to a remote syslog server

Links

Acknowledgements

ASD’s ACSC, CISA Cyber Centre, NCSC-NZ, NCSC-UK, and NSA contributed to this Alert.

Where to get help

Australia - ASD's ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).

Was this helpful?
Yes this was helpful
No this was not helpful

Thanks for your feedback!

We welcome additional feedback below.

Was this information easy to understand?
Will you take action after reading this?
Did you find the information you were looking for?
Did the design and layout of this page meet your expectations?