CISA KEV Update: Patch Urgency for Cisco Catalyst SD-WAN Flaws

CISA’s Known Exploited Vulnerabilities (KEV) Catalog expanded on February 25, 2026, with two additions that deserve immediate attention from network teams: CVE-2022-20775, a path traversal/privilege‑escalation flaw in Cisco Catalyst SD‑WAN components, and CVE-2026-20127, a critical authentication bypass in Cisco Catalyst SD‑WAN Controller and Manager that has confirmed exploitation in the wild. Both affect core SD‑WAN infrastructure — systems responsible for routing, security policy enforcement, and management across distributed enterprise networks — turning what might once have been a niche patch cycle into an urgent remediation priority.

Background​

Binding Operational Directive (BOD) 22‑01 created the KEV Catalog as a focused instrument for reducing risk across the federal enterprise by forcing accelerated remediation of vulnerabilities with evidence of active exploitation. The directive requires Federal Civilian Executive Branch (FCEB) agencies to remediate cataloged vulnerabilities on an accelerated schedule (typically two weeks for CVEs assigned after 2021), and it is the reason KEV additions immediately translate into binding deadlines for federal networks. Although BOD 22‑01 binds federal agencies, the KEV process is a best‑practice signal to the broader community: vulnerabilities added to the KEV are those that attackers are actively using, which elevates them to top priority for every organization with affected assets.
Cisco’s Catalyst SD‑WAN portfolio (Controller, Manager, and related components) is widely deployed in enterprises and service provider environments. These devices operate at the control and management plane of wide area networks, and compromise of these components can provide attackers with powerful capabilities: adding rogue peers, changing routing and security policies, intercepting traffic, and creating persistent footholds that are difficult to detect and remediate.

---

What CISA added and why it matters​

The two new KEV entries (summary)​

• CVE-2022-20775 — Path traversal / CLI privilege escalation in Cisco Catalyst SD‑WAN components. This is an older CVE (assigned in 2022) describing improper input validation in CLI/API endpoints that can be abused to write or manipulate files and ultimately escalate to root privileges.
• CVE-2026-20127 — Authentication bypass in Cisco Catalyst SD‑WAN Controller and Manager. This is a critical improper‑authentication vulnerability that allows an unauthenticated remote actor to bypass peering authentication and gain administrative access. Cisco and at least one national CERT have reported evidence of exploitation.

Both entries were added because there is credible evidence of active exploitation. That combination — attacker activity plus privileged network targets — is why CISA placed them in the KEV Catalog and why remediation must be prioritized.

Why SD‑WAN vulnerabilities are high‑impact​

SD‑WAN controllers and managers are not typical application servers. They:

• Hold network topology and policy state that, if altered, can redirect, mirror, or intercept traffic.
• Control distribution of configurations to distributed edge appliances, meaning a single compromised controller can propagate malicious configuration to many sites.
• Frequently have privileged management interfaces that, when accessed, equate to near‑total control of routed traffic and scanning visibility.

Compromise of an SD‑WAN management or control plane therefore enables far more than a local intrusion: it can enable lateral movement, data capture, service disruption, and long‑term persistence across an organization’s network fabric.

---

Technical snapshot: path traversal vs. authentication bypass​

CVE‑2022‑20775 — Path traversal and CLI access​

CVE‑2022‑20775 stems from inadequate validation of path inputs in SD‑WAN CLI/API functions. When exploited, an attacker who already has some level of authenticated local access to the CLI can craft inputs that traverse directories to overwrite or create files in protected locations, often enabling arbitrary command execution with root privileges.
Key technical attributes:

• Class: CWE‑22 / CWE‑25 (Path traversal)
• Attack vector: local/authenticated CLI or API misuse that allows directory traversal
• Impact: arbitrary file write → potential root code execution or service disruption
• Remediation: upgrade to fixed software releases specified by Cisco or restrict CLI access until patched

This CVE has been publicly documented since 2022 and fixed in patched releases, but the KEV addition indicates ongoing or renewed exploitation activity (or that residual vulnerable instances remain accessible and attractive to attackers).

CVE‑2026‑20127 — Authentication bypass with active exploitation​

CVE‑2026‑20127 is more urgent. It is an improper authentication defect in the peering/authentication logic of Catalyst SD‑WAN Controller (formerly vSmart) and Manager (formerly vManage). An unauthenticated attacker can bypass authentication, potentially gaining the equivalent of administrative privileges on the controller/manager.
Key technical attributes:

• Class: CWE‑287 (Improper Authentication)
• Attack vector: remote, unauthenticated requests against peering/authentication interfaces
• Impact: attacker can add rogue peers, obtain administrative access, execute follow‑on actions (persistence, policy changes)
• Exploitation evidence: vendor and national CERTs report observed incidents where malicious rogue peers were added to impacted SD‑WAN configurations

Because this flaw removes a fundamental gate to administrative access, the consequences are immediate and severe: an attacker can rewire a deployed SD‑WAN, implant backdoors, or create persistent tunnel access without needing initial credentials.

---

Evidence and reporting: what we know​

Multiple vendor and national cyber centers have documented the issues and confirm exploitation activity for the 2026 authentication bypass.

• Cisco’s security advisories outline the vulnerabilities, list affected releases, and publish mitigation and fixed‑release guidance. Cisco’s advisories also recommend specific detection actions (for example, auditing auth.log for suspicious SSH publickey acceptance events) and encourage customers to open TAC cases if compromise is suspected.
• The Canadian Centre for Cyber Security (and allied CERTs) has issued alerts noting active exploitation and incidents in which malicious rogue peers were introduced into SD‑WAN configurations, enabling persistent administrative access.
• Public vulnerability databases and CVE/NVD entries document CVE‑2022‑20775 (path traversal) with references to Cisco advisories and third‑party research.

Taken together, these independent sources (vendor advisory, national CERT alert, and NVD/third‑party writeups) establish both technical details and operational evidence for active misuse — the threshold that drives KEV inclusion.
Caveat: statements about the scope of exploitation should be treated carefully. Cisco has characterized exploitation of some of these flaws as “limited” in public advisories; national CERTs have described incidents. That mix — limited but confirmed exploitation — is typical for high‑value targets: attackers act selectively but with high impact. Organizations should not wait for “mass exploitation” to patch; targeted exploitation against critical infrastructure requires immediate action.

---

Immediate mitigation and remediation guidance​

If you operate any Cisco Catalyst SD‑WAN Controller, Manager, or related component, treat this as a high‑urgency incident. Use the following prioritized steps:

• Identify affected assets immediately
• Inventory your SD‑WAN estate: controllers, managers, orchestration components, and any devices exposing SD‑WAN management or control planes to the internet.
• Confirm software release versions against Cisco’s affected/fixed release matrices.
• Apply vendor fixes as the primary remediation
• Upgrade affected systems to the fixed software releases Cisco lists for each CVE.
• If a fixed release is not immediately available for your exact version, prioritize migration to a supported, patched release.
• If you cannot patch immediately, isolate and restrict access
• Remove internet exposure for management/control interfaces — do not allow public access to vManage/vSmart or their APIs.
• Restrict management plane access to a small set of trusted management IP addresses using access control lists (ACLs), VPN tunnels, or private management VLANs.
• Disable unnecessary services (HTTP, FTP) on the management interface as a temporary hardening measure.
• Detect and respond to possible compromise
• Audit auth.log (and equivalent logs) for unusual entries such as “Accepted publickey for vmanage-admin from [unknown IP]” and compare against your configured System IPs.
• Look for changes in peer lists, unexpected certificates or SSH keys, and unauthorized configuration pushes.
• For suspected compromise, collect admin‑tech output and open a case with Cisco TAC; preserve logs and configuration snapshots for forensic analysis.
• Rotate credentials and keys
• After remediation, rotate management passwords, administrative accounts, and SSH keys. Treat any pre‑patch credentials as suspect if exposure was possible.
• Reissue and validate TLS/SSH certificates used by management components as needed.
• Monitor and harden post‑patch
• Enable stricter logging and monitoring on SD‑WAN components.
• Deploy IDS/IPS rules tuned to detect anomalous SD‑WAN control traffic or configuration pushes.
• Validate configuration integrity with periodic checksums and configuration drift detection.

These steps reflect vendor guidance and operational best practices for critical networking gear. Patching is the only definitive remediation; the other steps are risk‑reduction and detection measures while you schedule and execute upgrades.

---

Detection checklist: indicators of compromise (IOC) for SD‑WAN administrators​

• Unrecognised SSH public key authentications for administrator accounts in /var/log/auth.log.
• Presence of unknown or suspicious “peer” entries in the controller/manager peer lists.
• Unexpected configuration pushes or rollbacks to device configurations, including changes to security policies or routing.
• New or altered system accounts with admin privileges.
• Abnormal system processes, scheduled tasks, or files written to protected directories (suggestive of path traversal abuse).
• Outbound connections from SD‑WAN control/management plane to unfamiliar external IPs.

If you detect any of these indicators, assume potential compromise until proven otherwise: preserve logs, collect admin‑tech artifacts, and engage vendor support and incident response teams.

---

The operational reality: patching SD‑WAN is hard — but non‑negotiable​

Enterprises commonly delay network device upgrades for reasons including change‑control windows, service‑level constraints, inter‑device compatibility, and fear of breaking live traffic. SD‑WAN controllers are especially sensitive because they coordinate deployment of configuration to hundreds or thousands of edge devices.
That operational friction does not remove risk: an unpatched SD‑WAN controller offers a single high‑value target that, when compromised, can silently propagate malicious configuration. CISA’s KEV additions — and the federal remediation mandates that follow — rightly prioritize these flaws because patching a controller may be hard, but the alternative (persistent administrative compromise of your network fabric) is far worse.
Practical advice to align operations with security objectives:

• Pre‑stage upgrades in a lab with realistic topology and compatibility checks so the upgrade path is validated before hitting production windows.
• Implement maintenance windows and phased rollouts that allow rapid upgrade while containing potential service impacts.
• Use canary deployments for critical controller upgrades: patch a subset, validate behavior, then roll out to the whole estate.
• Where patching requires vendor coordination (for hosted or managed environments), enforce contractual SLAs that include security patch timelines and incident notifications.

---

For federal agencies: BOD 22‑01 timelines and compliance implications​

Under BOD 22‑01, vulnerabilities listed in the KEV Catalog become remediation requirements with fixed timelines. The directive’s default timelines generally require remediation within two weeks for CVEs assigned after 2021; agencies must update internal vulnerability management procedures to comply and report remediation status via the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard or CyberScope.
Federal teams should:

• Treat KEV additions as operational directives and begin remediation immediately.
• Report status and exceptions per BOD 22‑01 requirements; if mitigation cannot be completed within the required timeframe, remove or isolate the asset from agency networks.
• Coordinate with enterprise risk, network engineering, and change management to ensure that required patches are deployed within the directive’s mandatory timelines.

Non‑federal organizations should not use BOD timelines as an excuse to delay; CISA’s KEV list is intended as a community signal of active threat, and private sector operators stand to suffer similar operational and reputational harm from exploitation.

---

Broader implications and risk analysis​

Adding these SD‑WAN CVEs to the KEV Catalog underscores several broader trends in adversary targeting and defensive gaps.

• Attackers focus increasingly on management and control infrastructure. Compromise of those assets yields outsized impact relative to effort.
• Historically “internal” or “management” interfaces are now commonly exposed — sometimes deliberately for remote management, sometimes accidentally — creating an attack surface that must be tightly controlled.
• Vulnerability lifecycle friction persists: even when patches are available, organizational constraints often delay remediations, leaving high‑value targets exposed.
• Detection is difficult. A well‑crafted configuration change or a new peer can blend into legitimate administrative activity; strong logging, baselining, and out‑of‑band verification are crucial.

Positive note: vendor transparency and collaborative reporting (vendor advisories, national CERT alerts, NVD entries) improve defenders’ ability to act. Cisco’s advisories and the national CERTs’ alerts provide actionable detection and mitigation guidance, which reduces friction for defenders who must triage and prioritize.

---

Recommended 10‑point action checklist (for immediate use)​

• Inventory — Identify all Cisco Catalyst SD‑WAN Controller, Manager, and associated devices.
• Version check — Map installed versions to Cisco’s affected/fixed release tables.
• Patch — Plan and apply vendor‑recommended updates immediately; treat KEV entries as high‑priority.
• Isolate — Remove internet exposure for management planes until patched.
• Restrict — Apply ACLs or VPN gating to limit management access to trusted IPs.
• Audit — Search admin logs for suspicious publickey acceptances and anomalous config changes.
• Rotate — Reset administrative credentials and reissue keys/certificates post‑remediation.
• Detect — Deploy monitoring rules for abnormal peer additions, config pushes, and control‑plane anomalies.
• Validate — Verify integrity of configuration and device file systems for signs of tampering.
• Report — If federal, update CDM/CyberScope as required; if compromised, involve vendor TAC and your incident response team.

---

Final analysis: act now, assume compromise, plan for resilience​

The addition of CVE‑2022‑20775 and CVE‑2026‑20127 to CISA’s KEV Catalog is a clear, actionable warning: SD‑WAN control and management planes are being targeted and, in at least some cases, successfully exploited. For network operators and security teams the calculus is straightforward — the risk (complete control of your WAN fabric) far outweighs the operational pain of patching and hardening.
Start with discovery and immediate isolation where possible, prioritize vendor‑provided fixes, and then move to verification and remediation of any suspected compromises. Importantly, treat management and control infrastructure with the same — or greater — urgency you would assign to internet‑facing servers: these systems are, in the modern enterprise, mission‑critical security choke points.
CISA’s KEV mechanism exists to force timely action; organizations that treat these additions as “optional” invite attackers to leverage widely trusted network management tools as their most effective attack vectors. Remediate now, harden the management plane, and bake SD‑WAN security into your ongoing change and asset‑management processes to prevent the next KEV addition from becoming an operational crisis.

---

Source: CISA CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA