These ongoing Cisco SD-WAN attacks have prompted urgent action from cybersecurity authorities. In February, CISA issued an emergency directive addressing two critical flaws: an authentication bypass vulnerability (CVE-2026-20127) and a privilege-escalation flaw (CVE-2026-20775) in Cisco Catalyst SD-WAN. Then in May, Cisco Talos confirmed that threat actor UAT-8616 was actively exploiting another authentication bypass, CVE-2026-20182.
If you oversee network security for an organization relying on Cisco SD-WAN, this campaign is a direct and pressing concern. The attackers have shown they can breach some of the most sensitive environments, from government offices to critical infrastructure operators. Understanding the specific vulnerabilities under fire is your first step toward hardening your defenses.
Why Cisco SD-WAN Is a Prime Target for Threat Actors
That warning about specific vulnerabilities is only part of the picture. To truly protect your network, you need to understand why adversaries are drawn to Cisco SD-WAN in the first place. The answer comes down to value and access. Edge infrastructure sits at the boundary between your internal network and the outside world, handling some of the most sensitive traffic your organization moves. And Cisco SD-WAN, given its wide deployment, often controls that critical junction.

Cisco environments have become an increasingly important target for state-nexus and other top threat actors precisely because of their deep footprint in sensitive networks. Think about where Cisco SD-WAN is typically deployed — government offices, financial institutions, energy grids, and healthcare systems. These are environments where a successful breach yields immense rewards, from intellectual property to operational intelligence. When you place a high-value control point at the edge of those networks, you create an attractive target for anyone looking to cause disruption or steal data.
Douglas McKee, director of vulnerability intelligence at Rapid7, summed it up clearly: edge infrastructure remains one of the highest-value targets in enterprise security. That assessment has played out in real-world campaigns. During the 2024 Salt Typhoon campaign, attackers leveraged access to Cisco devices to reach into major telecommunications providers. That state-sponsored hacking operation demonstrated how a foothold on edge equipment can lead directly to a telecommunications breach, giving adversaries the ability to intercept communications and move laterally across networks.
If you manage Cisco sd-wan attacks defenses, the lesson is straightforward. The same features that make SD-WAN powerful — centralized control, traffic steering, and direct cloud connectivity — also make it a prime vector for compromise. Strengthening your edge infrastructure security means treating your SD-WAN controllers and routers with the same rigor you apply to your most critical servers. Because for the adversaries actively targeting these systems, your edge is exactly where they plan to strike first.
Catalog of Exploited Vulnerabilities in Recent Cisco SD-WAN Attacks
Even with vigilant monitoring, specific flaws have been exploited in the wild. Attackers have chained multiple CVEs to gain initial access, escalate privileges, and deploy web shells in Cisco Catalyst SD-WAN deployments. Understanding these vulnerabilities is key to prioritizing your patching schedule.
In February, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for two critical flaws in Cisco Catalyst SD-WAN. The first, CVE-2026-20127, is an authentication bypass vulnerability that could allow an attacker to bypass security controls. The second, CVE-2026-20775, is a privilege-escalation flaw that lets an attacker gain higher-level access. Both were actively exploited, prompting the urgent directive.
Later, in May, Cisco Talos reported that threat actor UAT-8616 was targeting another authentication bypass vulnerability, CVE-2026-20182. This group used the flaw to compromise SD-WAN instances, highlighting ongoing risk from state-sponsored actors.
Perhaps most concerning is the use of chained vulnerabilities. Attackers combined three CVEs — CVE-2026-20133, CVE-2026-20122, and CVE-2026-20228 — in Cisco Catalyst SD-WAN Manager to release web shells. By chaining an authentication bypass with privilege escalation and a remote code execution flaw, they gained persistent access to the management interface.
Finally, a zero-day exploit was disclosed by Mandiant. In March, attackers exploited CVE-2026-20245 in Cisco Catalyst SD-WAN at a communications service provider. This zero-day vulnerability allowed them to bypass authentication entirely, leading to a full compromise before a patch was available. These Cisco SD-WAN attacks show a clear pattern: adversaries are methodically chaining flaws to reach your network edge.
Customer-Managed Patching: A Critical Security Gap
That chain of exploits becomes far more dangerous when you consider who is responsible for closing those gaps. Cisco Catalyst SD-WAN is often deployed in your own environment, which means your security team carries the patching responsibility. Unlike cloud-managed solutions where the vendor handles updates automatically, on-premises deployments leave you in charge of applying fixes. This is a significant security gap because it introduces delays.
Jonathan Forest, VP analyst at Gartner, notes that the result can be delays in patching and vulnerabilities being exposed for an extended time. When you are managing multiple devices across distributed locations, keeping every system updated is a constant challenge. Attackers know this. They actively scan for unpatched systems, and the Cisco SD-WAN attacks we’ve seen often target known vulnerabilities that remain open because patches haven’t been applied quickly enough.
In contrast, cloud-managed SD-WAN solutions shift the update burden to the vendor. Patches are deployed centrally and automatically, reducing the window of exposure. For customer-managed setups, the onus is on you to establish a rigorous vulnerability management process. This means prioritizing critical patches, testing them in a staging environment, and rolling them out without disrupting operations. Without that discipline, your network edge remains a tempting target.
To close this gap, consider these steps:
- Establish a clear patching policy with defined timelines for critical and high-severity vulnerabilities.
- Use automated tools to scan your SD-WAN infrastructure for missing patches.
- Maintain an inventory of all devices and their firmware versions to track update status.
- Test patches in a non-production environment before wide deployment.
By taking patching responsibility seriously, you reduce the risk that a delayed update becomes the opening for the next wave of Cisco SD-WAN attacks.
Government Sites and Critical Infrastructure Under Fire
Even with diligent patching, the scope of this campaign should give you pause. The attacks have struck key government sites and critical infrastructure providers, though the specific sectors have not been named. That lack of detail does not lessen the concern — it actually highlights a broader vulnerability across government cybersecurity and critical infrastructure protection. When one campaign can penetrate multiple high-value targets, it signals that no single sector is immune.

One concrete example comes from Mandiant, which disclosed a March attack where a hacker exploited the zero-day vulnerability CVE-2026-20245 in Cisco Catalyst SD-WAN at a communications service provider. This incident in the communications sector shows how Cisco SD-WAN attacks can be weaponized against the very networks that keep society connected. The attacker leveraged the flaw to gain initial access, demonstrating that even well-protected providers can be blindsided by an unpatched vulnerability.
At this point, the full scale and geographic distribution of the campaign remain unclear from public reports. That uncertainty is itself a warning: you cannot rely on others to tell you when your own network is at risk. The practical takeaway is to treat your environment as if it were already a target. Strengthen your monitoring, verify that all SD-WAN appliances are running the latest firmware, and review access logs for any signs of unusual behavior. Government sites and critical infrastructure may be the headline, but the lesson applies to every organization using Cisco SD-WAN.
On a similar note, Salesforce Data Thefts Continue via Klue App explores this topic with concrete examples.
Attribution: State-Nexus Actors and the UAT-8616 Connection
That practical advice is your first line of defense, but it helps to understand who is behind these attacks to gauge the real threat. While the threat actor tracked as UAT-8616 has been publicly named, the tactics, targets, and tools involved draw striking parallels to state-sponsored campaigns, pointing toward broader, possibly nation-state involvement. This isn’t just another group of cybercriminals; the operational patterns suggest a higher level of intention and resources.
Cisco Talos in May confirmed that UAT-8616 was actively exploiting the authentication bypass vulnerability CVE-2026-20182. This zero-day targeting of Cisco SD-WAN devices is a hallmark of sophisticated operations. The specific focus on network infrastructure—rather than end-user data—aligns with the modus operandi of known state-nexus actors. For context, during the 2024 Salt Typhoon campaign, attackers leveraged access to Cisco devices to reach into major telecommunications providers, demonstrating a similar playbook of using network gear as a pivot point for cyber espionage. The overlap in technique and target selection is hard to ignore.
Additionally, Mandiant disclosed a March attack where a hacker exploited zero-day vulnerability CVE-2026-20245 in Cisco Catalyst SD-WAN at a communications service provider. Notably, the attribution for that incident was not publicly revealed, which often hints at state-level capabilities. Such restraint in naming attackers is common when investigations involve classified intelligence or ongoing diplomatic considerations. For you, this means that the Cisco sd-wan attacks linked to UAT-8616 are not isolated events. They are part of a pattern where state-sponsored threat actors appear to be systematically probing and exploiting the same attack surface. The connection to Salt Typhoon and the unclaimed zero-day suggest a coordinated push against critical infrastructure, raising the stakes for any organization relying on Cisco SD-WAN.
Mitigation Best Practices for Cisco SD-WAN Deployments
That coordinated push means you need a response plan that matches the severity of the threat. Organizations can reduce risk by prioritizing patching, monitoring for anomalies, and adopting a defense-in-depth approach for edge infrastructure. The goal is simple: make your SD-WAN deployment harder to compromise, not just harder to detect.
Apply all available patches from Cisco immediately. Delays in patching are one of the biggest risks. Jonathan Forest, VP analyst at Gartner, said the result can be delays in patching and vulnerabilities being exposed for an extended time. That extended exposure window is exactly what attackers exploit. Set up a process that checks for Cisco security advisories weekly, and have a plan to test and deploy critical patches within days, not weeks.
Implement network segmentation and access controls. Even if an attacker finds a way in, segmentation limits how far they can move laterally. Place SD-WAN controllers and edge devices in separate security zones, enforce strict firewall rules between them, and restrict management access to only authorized IP ranges. This practice is a core part of SD-WAN security best practices.
Leverage threat intelligence feeds to detect exploitation attempts. Use feeds that focus on Cisco SD-WAN attacks specifically. Indicators of compromise published by security researchers and Cisco itself can alert your team to scanning or exploitation attempts before they become full-blown breaches. Integrate these feeds into your existing security monitoring tools.
Conduct regular security assessments of SD-WAN deployments. Vulnerability management should include your edge infrastructure, not just your internal servers. Simulate attacks against your SD-WAN setup to find weak points in configuration or unpatched components. Douglas McKee, director of vulnerability intelligence at Rapid7, said edge infrastructure remains one of the highest-value targets in enterprise security. Treat it accordingly.
A defense-in-depth approach means no single control is your only line of defense. Combine patching, segmentation, monitoring, and assessment into a cycle that continuously improves your security posture. The threat against Cisco SD-WAN is real, but a structured, proactive mitigation plan can keep your edge infrastructure resilient.
Frequently Asked Questions
How can organizations protect their Cisco SD-WAN deployments?
Start by applying security patches as soon as Cisco releases them. Use segmentation to isolate critical traffic and enforce strict access controls on management interfaces. Monitoring for unusual traffic patterns can also help you catch Cisco sd-wan attacks early before they escalate.
Why is Cisco SD-WAN such a high-value target for threat actors?
Because SD-WAN sits at the center of your network, controlling traffic between all branch offices and the core. Compromising it gives attackers a direct path to sensitive data and critical infrastructure. That makes Cisco sd-wan attacks especially dangerous for organizations with widespread distributed networks.
How does customer-managed patching affect the security of Cisco SD-WAN?
When you manage patching yourself, the responsibility falls on your team to stay current with every update. Delays in applying patches leave known vulnerabilities open for exploitation. This gap is one of the main reasons Cisco sd-wan attacks succeed against otherwise well-defended networks.






