NCSC Alert: Cisco SD-WAN Exploited Globally

Detected March 13th, 2026

Summary

The UK's NCSC, along with international partners, has issued an alert regarding the exploitation of Cisco Catalyst SD-WAN devices. Threat actors are gaining root and persistent access, and organizations are urged to investigate potential compromises and apply security updates.

View original document View source feed page

What changed

Multiple international cybersecurity agencies, including the UK's NCSC, have identified a global campaign targeting Cisco Catalyst SD-WAN devices. Threat actors are exploiting vulnerabilities to achieve root access and maintain persistent presence within affected networks. A joint 'Hunt Guide' has been released detailing the tactics, techniques, and procedures used by these actors, alongside advisories from Cisco detailing software updates for affected managers and controllers.

Organizations employing Cisco Catalyst SD-WAN, particularly those with management interfaces exposed to the internet, are strongly urged to perform immediate threat hunting, collect forensic artifacts if compromise is suspected, and apply the latest software updates and hardening guidance. Failure to do so could result in significant network compromise and data breaches. While no specific compliance deadline is stated, the urgency of the threat necessitates immediate action to mitigate risks.

What to do next

Perform threat hunting for evidence of compromise using the provided Hunt Guide.
Update Cisco Catalyst SD-WAN Manager and Controller to the latest fixed versions.
Apply Cisco Catalyst SD-WAN Hardening Guide recommendations, including network perimeter controls and access restrictions.

Source document (simplified)

News Download & print article PDF

Exploitation of Cisco Catalyst SD-WAN

Agencies strongly encourage immediate investigation of potential compromise of Cisco Catalyst SD-WAN, and full updating and hardening.

What has happened?

Malicious cyber threat actors are targeting Cisco Catalyst Software Defined Wide Area Networks (SD-WAN) used by organisations globally. These actors are compromising SD-WANs to add a malicious rogue peer and then conduct a range of follow-on actions to achieve root access and maintain persistent access to the SD-WAN.

This cluster of cyber threat activity has targeted organisations using Cisco Catalyst SD-WANs globally. A Hunt Guide has been prepared based on observations from various investigations which details tactics, techniques, and procedures (TTPs) leveraged by these malicious actors. The Hunt Guide aims to support network defenders to conduct detection and threat hunting activities and provides mitigation guidance to reduce the risk from the observed TTPs.

The Hunt Guide is being released by the following authoring and co-sealing agencies:

Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (Cyber Centre)
New Zealand National Cyber Security Centre (NCSC-NZ)
United Kingdom National Cyber Security Centre (NCSC-UK)
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States National Security Agency (NSA) Cisco has released software updates for Cisco Catalyst SD-WAN Manager and Cisco Catalyst SD-WAN Controller.

Who is affected?

Organisations employing Cisco Catalyst SD-WAN should follow the priority actions detailed below.

Cisco Catalyst SD-WANs that have management interfaces exposed to the internet are at most risk of compromise. Management interfaces must never be exposed to the internet.

What should I do?

The authoring agencies strongly urge network defenders to follow these priority actions:

Perform threat hunting for evidence of compromise detailed in the Hunt Guide.
If you believe you have been compromised, collect artefacts from the device and, if you are in the UK, report it to the NCSC.
Update to the appropriate fixed latest version of Cisco Catalyst SD-WAN Manager and Cisco Catalyst SD-WAN Controller as detailed in their respective advisories.
Apply the Cisco Catalyst SD-WAN Hardening Guide.
Perform continuous threat hunting activities. To reduce the risks to your networks, review the Cisco Catalyst SD-WAN Hardening Guide in full and take appropriate action, including but not limited to the following:

Network perimeter controls
- ensure control components are behind a firewall
- isolate VPN 512 interfaces
- use IP blocks for manually provisioned edge IPs
SD-WAN manager access
- replace the self-signed certificate for the web user interface
Control and data plane security
- use pairwise keying
Session timeout
- limit to the shortest period possible
Logging
- forward to a remote syslog server Any mitigation or eviction measures listed within are subject to change as new information becomes available and ongoing coordinated operations dictate. Network defenders should ensure any actions taken in response to the Hunt Guide are compliant with local laws and regulations within the jurisdictions within which they operate.

Further resources

Cisco Catalyst SD-WAN hardening guide
ASD’s ACSC’s Cisco SD-WAN Threat Hunt Guide co-sealed by NSA, CISA, CCCS, NCSC-NZ and NCSC-UK
CISA's Known Exploited Vulnerabilities catalog
NCSC resources to help secure systems:
Follow NCSC guidance including vulnerability management and preventing lateral movement.
If your organisation is in the UK, you can sign up to the free NCSC Early Warning service to receive notifications of potential cyber threats on your network. If you are already an Early Warning user, please check your MyNCSC portal.
The NCSC Vulnerability Disclosure Toolkit helps organisations of all sizes with the essential components of implementing a vulnerability disclosure process.