US Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive 26-03 for Federal civilian executive branch systems remediation and reporting deadlines through
Public Sector Action
Summary
Hide ▲
Show ▼
CISA issued Emergency Directive 26-03 after warning that attackers are actively exploiting Cisco Catalyst SD-WAN vulnerabilities across US federal networks. The directive centers on CVE-2026-20127, a critical authentication bypass flaw that could give an unauthenticated attacker administrative access and broad control over network traffic. Federal civilian agencies must inventory affected systems, collect forensic evidence, apply updates, and report remediation by March 23, 2026.
Related Happenings
CISA KEV remediation order for Cisco Catalyst SD-WAN Controller CVE-2026-20182
Public Sector Action
First: 15.05.2026 08:28
Last: 15.05.2026 08:28
Sources 1
About this happening:
**CISA** added **CVE-2026-20182** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate **Cisco Catalyst SD-WAN Controller** by **May 17,...
CISA KEV remediation order for Cisco Catalyst SD-WAN Controller CVE-2026-20182
Public Sector ActionAbout this happening: **CISA** added **CVE-2026-20182** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate **Cisco Catalyst SD-WAN Controller** by **May 17,...
Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)
Vulnerability
First: 14.05.2026 23:09
Last: 14.05.2026 23:09
Sources 1
About this happening:
**CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...
Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)
VulnerabilityAbout this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...
Latest development: 14.05.2026 23:25
Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.
Federal civilian executive branch agency hit by network compromise
Incident
First: 24.04.2026 23:34
Last: 24.04.2026 23:34
Sources 1
About this happening:
A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Federal civilian executive branch agency hit by network compromise
IncidentAbout this happening: A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
Vulnerability
First: 24.04.2026 20:06
Last: 24.04.2026 20:06
Sources 1
About this happening:
**Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware Activity
First: 23.04.2026 15:00
Last: 23.04.2026 15:00
Sources 1
About this happening:
CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware ActivityAbout this happening: CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
Latest development: 24.04.2026 23:34
CISA, NCSC-UK, and Cisco detailed Firestarter persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software, attributing the backdoor to UAT-4356 and linking the activity to ArcaneDoor. The malware modifies CSP_MOUNT_LIST, stores a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, restores itself to /usr/bin/lina_cs, and relaunches after termination or reboot; Cisco recommends reimaging and upgrading to fixed releases, or using a cold restart only if reimaging is not possible.
Timeline
-
12.03.2026 14:45 1 articles · 2mo ago
CISA warns of active Cisco SD-WAN exploitation
Initial DisclosureCISA warns that attackers are actively exploiting Cisco Catalyst SD-WAN infrastructure used across US federal networks and centers the warning on CVE-2026-20127, a critical authentication bypass flaw with a CVSS 10 score that could let an unauthenticated attacker gain administrative access and manipulate network configurations or disrupt traffic.
Show sources
- CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws — www.infosecurity-magazine.com — 12.03.2026 14:45
-
12.03.2026 14:45 2 articles · 2mo ago
CISA orders federal remediation steps
Legal Policy Action UpdateEmergency Directive 26-03 orders federal civilian executive branch agencies to identify affected Cisco SD-WAN systems, submit inventories to CISA, store logs externally, collect forensic artifacts, apply vendor security updates, hunt for compromise, and rebuild infrastructure if root access is detected, with remediation and logging deadlines extending through March 23, 2026.
Show sources
- CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws — www.infosecurity-magazine.com — 12.03.2026 14:45
- CISA Issues Emergency Directive Over Exploited Cisco SD-WAN Flaws — www.infosecurity-magazine.com — 12.03.2026 14:45