πŸ”¬ Assessment

CISA Supplemental Direction ED 26-03: How to Hunt for Compromise in Cisco Catalyst SD-WAN

CISA has issued supplemental hunt-and-hardening guidance for Cisco Catalyst SD-WAN systems under Emergency Directive 26-03, providing defenders with specific indicators to look for in environments exposed to CVE-2026-20127 β€” a CVSS 10.0 authentication bypass exploited since 2023. Organisations running Cisco SD-WAN infrastructure should treat this guidance as a mandatory compromise assessment checklist.

5 min read
#cisco#sd-wan#cisa#emergency-directive#compromise-assessment#threat-hunting#cvss-10#authentication-bypass

When CISA issued Emergency Directive 26-03 ordering federal agencies to remediate vulnerabilities in Cisco Catalyst SD-WAN systems, the initial directive focused on patching and inventory. The Supplemental Direction that followed shifts the focus to what many teams skip even after patching: determining whether the system was already compromised before the fix was applied. The hunt-and-hardening guidance published by CISA represents one of the more operationally detailed compromise assessment checklists the agency has produced, and it is directly applicable to any enterprise running Cisco Catalyst SD-WAN β€” not only federal agencies.

The Underlying Vulnerabilities

CVE-2026-20127 carries a CVSS score of 10.0 β€” the maximum possible. The vulnerability is an authentication bypass affecting the Cisco Catalyst SD-WAN Controller and Manager (formerly vManage). An unauthenticated remote attacker can bypass authentication entirely and obtain full administrative privileges over the SD-WAN management plane. Cisco’s threat intelligence indicates this vulnerability has been exploited in the wild since at least 2023, meaning affected organisations that have not yet patched have had a remote-code, admin-access exposure for over two years.

CVE-2022-20775 is a path traversal vulnerability that allows an authenticated, local attacker to escalate privileges to root-level access. In combination with CVE-2026-20127, an attacker can chain unauthenticated remote access with complete OS-level compromise of the SD-WAN controller.

The SD-WAN management plane is particularly high-value for attackers. Compromising the Controller or Manager gives an adversary visibility into and control over the entire SD-WAN fabric: routing policies, tunnel configurations, connected branch sites, and the ability to redirect or intercept traffic across the WAN.

What the Hunt Guidance Directs Defenders to Check

CISA’s supplemental direction focuses on four categories of indicators that defenders should review in potentially exposed environments.

Software version anomalies. Attackers with administrative access to SD-WAN controllers have been observed performing software version downgrades β€” reverting systems to earlier, more vulnerable versions to maintain persistence or re-enable access paths that newer versions closed. Review logs for any software version change events, particularly downgrades, and treat them as high-confidence indicators of compromise.

Unauthorised reboots and application reversions. Unexpected device reboots, particularly outside maintenance windows, and application reversions (where a running application configuration rolls back to a previous state) can indicate an attacker executing configuration manipulation. Correlate reboot events against change management records.

Rogue connections and unusual peering. Review SD-WAN fabric topology for any devices, tunnel endpoints, or peer connections that are not in configuration management records. An attacker with management plane access may establish persistent access by registering unauthorised edge devices or modifying tunnel configurations to forward traffic to attacker-controlled infrastructure.

Credential and log manipulation. Look for accounts created or modified outside of normal provisioning workflows, changes to authentication configuration (particularly any weakening of MFA or removal of access restrictions), and gaps or modifications in log files. Log tampering β€” including truncation, deletion, or modification of event logs β€” is a consistent indicator of post-exploitation activity in network infrastructure.

How to Prioritise Your Assessment

Not every organisation running Cisco SD-WAN faces identical risk. Prioritise immediate assessment if any of the following apply:

  • The SD-WAN Controller or Manager interface has been internet-exposed (even temporarily) since 2023
  • The vulnerable software versions were in use before the patches specified in ED 26-03 were applied
  • You cannot confirm the patch was applied before a potential exploitation window closed
  • Your SD-WAN environment carries traffic for high-sensitivity networks (financial systems, OT environments, classified or regulated data)

For organisations that applied patches promptly after initial disclosure and had their Controller and Manager interfaces accessible only from dedicated management networks, the risk of prior compromise is substantially lower β€” but the hardening review in CISA’s supplemental direction is still warranted.

  • Apply all patches cited in ED 26-03 if not already done. Cisco has issued updates addressing CVE-2026-20127 and CVE-2022-20775. Consult Cisco’s Security Advisory for version-specific guidance.
  • Execute CISA’s hunt checklist in full. Review SD-WAN controller logs for software version changes, unexpected reboots, application reversions, unrecognised peering relationships, and credential modifications going back to 2023 if logs are available.
  • Restrict management plane access. If the SD-WAN Controller or Manager is reachable from the internet or from untrusted network segments, remediate this immediately. Management access should be limited to a dedicated management VLAN or jump host with MFA enforced.
  • Audit the SD-WAN fabric topology. Export current device inventory and tunnel configurations and compare against authorised configuration management records. Any discrepancy warrants investigation.
  • Preserve and export all relevant logs before they rotate. If a compromise assessment is initiated, log retention is critical. Export SD-WAN controller logs to long-term storage immediately.
  • Consider a professional compromise assessment for environments where internet exposure of the management plane cannot be ruled out for the 2023–2026 window. The breadth of access that CVE-2026-20127 provides makes silent, persistent compromise a realistic scenario.

CISA’s guidance makes clear that patching alone is insufficient response to a CVSS 10.0 vulnerability that has been actively exploited for over two years. The assessment work required to determine whether a compromise occurred before patching is not optional β€” it is the difference between a remediated vulnerability and an undetected intrusion.