NSA Joins ASD’s ACSC and Others to Release a Cybersecurity Alert and Related Hunt Guide on - National Security Agency (.gov)

PRESS RELEASE | Feb. 26, 2026 NSA Joins ASD’s ACSC and Others to Release a Cybersecurity Alert and Related Hunt Guide on Cisco SD-WAN Systems FORT MEADE, Md. – The National Security Agency (NSA), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), and other agencies have issued the Cybersecurity Alert "Exploitation of Cisco SD-WAN Appliances," and a corresponding, "Cisco SD-WAN Threat Hunt Guide." The alert warns of malicious cyber actors targeting Cisco Catalyst Software Defined Wide Area Network (SD-WAN) systems used globally. The Hunt Guide details the tactics, techniques, and procedures (TTPs) used by the actors, and helps organizations identify and investigate potential compromise of their Cisco Catalyst SD-WAN systems. For over a year, malicious actors exploited vulnerabilities in Cisco SD-WANs. Most notably, by leveraging a previously unknown (zero-day) vulnerability, CVE-2026-20127, these actors introduced a malicious rogue peer, gained authenticated access, and established persistent, long-term presence within the compromised SD-WAN networks. Cybersecurity professionals and network administrators are strongly advised to take immediate action to ensure all Cisco Catalyst SD-WAN devices are fully patched to the appropriate Fixed Release version. They are also advised to hunt for evidence of compromise, as described in the Hunt Guide, and apply Cisco’s SD-WAN hardening guidance to reduce risks. Patching, executing the Hunt Guide, and reviewing the SD-WAN hardening guidance in full is crucial for high-confidence network security. Co-sealing this Cybersecurity Alert and Hunt Guide are the National Security Agency (NSA); Cybersecurity and Infrastructure Security Agency (CISA); Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC); Canadian Centre for Cyber Security (Cyber Centre); New Zealand’s National Cyber Security Centre (NCSC-NZ); and United Kingdom’s National Cyber Security Centre (NCSC-UK). Read the full reports. Exploitation of Cisco SD-WAN Appliances Cisco SD-WAN Threat Hunt Guide Cisco Security Advisory - Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability Cisco Security Advisory - Cisco Catalyst SD-WAN Vulnerabilities Visit our full library for more cybersecurity information and technical guidance. NSA Media Relations MediaRelations@nsa.gov 443-634-0721 SHARE PRINT cybersecurity csa Hunt Guide Cisco Cisco SD-WAN exploitation Alert network defenders