Cisco edge exploited

Cisco identified the exploited SD‑WAN authentication‑bypass as CVE‑2026‑20127, assigned a CVSS score of 10.0 and first published the advisory on Feb. 25, 2026. (sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk) The Cybersecurity and Infrastructure Security Agency issued Emergency Directive ED 26‑03 on Feb. 25, 2026, ordering Federal Civilian Executive Branch agencies to mitigate vulnerabilities in Cisco SD‑WAN systems. (cisa.gov/news-events/news/immediate-action-required-cisa-issues-emergency-directive-secure-cisco-sd-wan-systems) CISA added CVE‑2026‑20127 and CVE‑2022‑20775 to its Known Exploited Vulnerabilities catalog and released supplemental hunt‑and‑hardening guidance alongside the directive. (cisa.gov/news-events/alerts/2026/02/25/cisa-and-partners-release-guidance-ongoing-global-exploitation-cisco-sd-wan-systems) Cisco published a bundled March 4 security update that included 25 advisories fixing 48 vulnerabilities across its Secure Firewall ASA, FMC and FTD products. (securityweek.com/cisco-patches-critical-vulnerabilities-in-enterprise-networking-products) Two of the patched firewall flaws were assigned the maximum CVSS 10.0 rating and affect Secure FMC with authentication‑bypass and remote‑code‑execution impacts, according to Cisco and subsequent coverage. (securityweek.com/cisco-patches-critical-vulnerabilities-in-enterprise-networking-products) Reporting from vulnerability researchers and trade press states multiple SD‑WAN defects were abused in the wild over a multi‑year window, with at least one pair of zero‑day SD‑WAN flaws traced to exploitation spanning roughly three years. (cyberscoop.com/cisco-firewall-sd-wan-vulnerabilities-exploited) Separately, security firms reported a critical Cisco firewall vulnerability was used by the Interlock ransomware gang weeks before public disclosure in late January 2026. (securityweek.com/cisco-firewall-vulnerability-exploited-as-zero-day-in-interlock-ransomware-attacks) Tenable’s analysis tied earlier ASA/FTD zero‑days (CVE‑2025‑20333 and CVE‑2025‑20362) to the threat actor UAT4356 (aka Storm‑1849), and Unit 42 warned those bugs enabled arbitrary code execution and implanting persistent malware on affected devices. (tenable.com/blog/cve-2025-20333-cve-2025-20362-faq-cisco-asa-ftd-zero-days-uat4356 (unit42.paloaltonetworks.com/zero-day-vulnerabilities-affect-cisco-software)) FedRAMP required providers to apply Cisco‑provided updates for the ED‑listed CVEs by 5:00 PM ET on Feb. 27, 2026, while CISA’s Supplemental Direction ED 26‑03 lays out specific hunt and hardening steps for SD‑WAN controllers. (fedramp.gov/notices/0006/) (cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems)