Cisco SD-WAN Zero-Day Under Exploitation for 3 Years
The maximum-severity vulnerability CVE-2026-20127 was exploited by an unknown but sophisticated threat actor who left very little evidence behind.
Stay informed on Cisco security updates, threats, and solutions. Get the latest news and expert insights on Cisco information security developments.
Search across headline titles and summaries.
Background for this topic.
Cisco produces networking devices and software that manage data flow in enterprise and service provider networks, including routers, switches, and firewalls. These components are often central points controlling network traffic and access, making their integrity critical for secure communications and network stability.
Security risks with Cisco equipment commonly arise from firmware vulnerabilities, exposed management interfaces, and configuration errors that attackers can exploit to gain unauthorized access or disrupt services. Timely application of security patches and strict access controls on device management interfaces are essential to reduce exposure. Monitoring network devices for unusual activity also helps detect potential compromises early in environments relying on Cisco infrastructure.
The maximum-severity vulnerability CVE-2026-20127 was exploited by an unknown but sophisticated threat actor who left very little evidence behind.
A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025
A rare joint alert from all five spy agencies means serious business The Five Eyes intelligence alliance is urgently warning defenders to patch two Cisco Catalyst SD-WAN vulnerabilities used in attacks.…
The US and allies are urging Cisco Catalyst SD-WAN customers to hunt for signs of exploitation
A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of malicious activity that dates back to 2023
Emergency CISA Directive Lands as DHS Shutdown Strains Cyber OperationsThe Cybersecurity and Infrastructure Security Agency issued a directive Wednesday ordering civilian agencies to secure and hunt for compromise in vulnerable Cisco SD-WAN systems after officials observed active exploitation - while warning that shutdown-related disruptions heighten operational risk.
Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks. [...]
Cisco: One Prompt May Not Break Most AI Models, But a Conversation WillCisco tested eight major open-weight artificial intelligence models and found multi-turn jailbreak attacks succeeded nearly 93% of the time, exposing a blind spot in how enterprises assess and deploy large language models safety.