Federal Cisco Cleanup
Federal actors have been working to evict persistent attackers from compromised Cisco routers — an active remediation effort that officials are publicizing as part of a wider network hardening push. Cisco’s Secure Access and unified architectures also got shoutouts for defending AI‑scale networks at recent Black Hat discussions, positioning vendor controls as a key containment tool. (x.com) (x.com)
CISA and partner agencies issued an emergency directive on Feb. 25, 2026 ordering federal civilian agencies to inventory in‑scope Cisco SD‑WAN systems, collect forensic artifacts and apply vendor patches for CVE‑2026‑20127 within tight windows. (cisa.gov) Cisco disclosed CVE‑2026‑20127 as a maximum‑severity (CVSS 10.0) authentication‑bypass in Catalyst SD‑WAN Controller/Manager that allows unauthenticated administrative access and published patches on Feb. 25, 2026. (sec.cloudapps.cisco.com) Multiple incident responders and vendors say the flaw was exploited in the wild as far back as 2023 by a threat actor tracked as UAT‑8616, with public reporting documenting long‑running access and privilege escalation chains. (thehackernews.com) CISA’s guidance and Canadian and allied alerts note attackers created persistent footholds — including adding rogue SD‑WAN peers to configurations — and directed agencies to hunt for signs of long‑term compromise. (cisa.gov) Federal teams have been ordered to collect core dumps and virtual snapshots and to disconnect or replace exposed management interfaces while CISA monitors compliance, steps meant to evict entrenched operators from compromised SD‑WAN infrastructure. (cisa.gov) Separately, Cisco showcased its Secure Access and unified security architectures at recent Black Hat events, citing deployments that processed tens of millions of DNS queries and thousands of unique apps as part of its pitch for infrastructure‑level containment. (blogs.cisco.com)
