critical advisory February 25, 2026

Ongoing Exploitation of Cisco SD-WAN Systems

Malicious actors are actively exploiting CVE-2026-20127 for initial access and CVE-2022-20775 for privilege escalation and persistence on Cisco SD-WAN systems globally.

CISA and its partners have observed malicious cyber actors targeting and compromising Cisco SD-WAN systems across various organizations globally. The attackers are leveraging CVE-2026-20127, an authentication bypass vulnerability, for initial access. Following successful exploitation of CVE-2026-20127, the attackers escalate privileges and establish long-term persistence within the compromised SD-WAN systems using CVE-2022-20775. In response to this active exploitation, CISA issued Emergency…

Detection coverage 3

Detect SD-WAN Authentication Bypass Attempt

high

Detects attempts to exploit CVE-2026-20127, an authentication bypass vulnerability in Cisco SD-WAN systems, by monitoring for abnormal authentication patterns.

sigma tactics: initial_access techniques: T1190, T1588.004 sources: network_connection, cisco

SD-WAN Configuration Change Detection

medium

Detects suspicious configuration changes within Cisco SD-WAN systems which might indicate malicious activity after exploiting CVE-2022-20775.

sigma tactics: persistence, privilege_escalation techniques: T1078 sources: file_event, linux

Detect SD-WAN Remote Syslog Configuration Modification

medium

Detects modifications to syslog settings, potentially indicating an attacker trying to disable or redirect logging after compromising the system via CVE-2022-20775

sigma tactics: defense_evasion techniques: T1562.001 sources: file_event, linux

Detection queries are kept inside the platform. Get full rules →