The Cybersecurity and Infrastructure Security Agency is directing agencies to quickly address critical vulnerabilities in some Cisco networking systems.
In an emergency directive issued today, CISA told federal agencies to inventory Cisco Software-Defined Wide-Area Networking (SD-WAN) systems, apply updates and evaluate whether any compromises have occurred.
The directive comes as hackers target SD-WAN systems across the world. The vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. In an advisory, Cisco said the vulnerability “could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.”
CISA is directing agencies to patch those systems by 5 p.m. on Feb. 27.
]]>
Nick Andersen, CISA’s executive assistant director for cybersecurity, said “forensic analysis” demonstrated that the “ease of exploiting these vulnerabilities requires immediate action from all federal agencies.”
“The threat actors are seeking to gain unauthorized access to potentially compromise federal networks,” Andersen said during a call with reporters Wednesday. “Our focus right now is share timely guidance, mitigate the risk and ensure that our federal partners have the information they need to defend against the activity.”
SD-WAN software allows organizations to share data and applications across disparate offices, remote workstations and other authorized devices, within both physical and cloud-based infrastructure. The use of such networking devices has increased in recent years.
“The ability to orchestrate environments virtually, to interconnect offices and data centers and compute environments is one that is certainly picked up in popularity in recent years, and SD-WANs are a big part of what we know to be deployed, not just within federal civilian executive branch agencies, but more broadly across industry,” Andersen said.
CISA’s directive includes several deadlines for federal agencies beyond the Feb. 27 patch deadline.
By Feb. 26, agencies are required to identify any potentially affected Cisco SD-WAN systems and provide the inventory to CISA. Agencies are also required by Feb. 26 to ensure all SD-WAN systems are configured to store logs externally and collect forensic artifacts.
CISA additionally provided agencies with supplemental “hunt” and “hardening” guidance for the SD-WAN systems.
]]>
Meanwhile, agencies have been directed to send CISA a “detailed inventory” of any affected systems, the steps they have taken to apply updates and hunt for a potential compromise by March 5.
And by March 12, CISA wants a report on actions agencies have taken to harden their networks from the Cisco vulnerabilities.
CISA is coordinating the guidance as it also navigates a lapse in appropriations for the entire Department of Homeland Security. During the shutdown, roughly one-third of CISA’s 2,341 employees are continuing to work without pay, while the rest have been furloughed.
Andersen said that shutdown disruptions “create uncertainty, strain our workforce and give adversaries unnecessary advantages, forcing frontline cybersecurity experts to perform critical work without pay.”
Meanwhile, the SD-WAN vulnerability continues a trend of adversaries targeting so-called “edge devices,” as they sit at the boundary of an organization’s network and route network traffic.
CISA and other cyber agencies have increasingly sounded the alarm about hackers targeting vulnerabilities in edge devices to gain a foothold and further exploit sensitive networks. Earlier this month, CISA directed federal agencies to identify and upgrade any unsupported edge devices on their networks.
“We’re continuing to see adversary movement target edge devices, which is why I think we’ve both had emergency directives related to edge devices, as well as binding operational directives focused on that,” Andersen said. “Our efforts continue to minimize the available attack surface for the cyber actors to be able to take advantage of.”
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
