Changeflow GovPing Data Privacy & Cybersecurity Emergency Directive 26-03: Mitigate Vulnerabili...
Urgent Rule Added Final

Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems

Favicon for www.cisa.gov US CISA News
Published
Detected
Email

Summary

CISA issued Emergency Directive 26-03 requiring all Federal Civilian Executive Branch agencies to immediately inventory, patch, and harden Cisco SD-WAN systems against active exploitation by malicious cyber threat actors. The directive specifically addresses CVE-2026-20127 and CVE-2022-20775 vulnerabilities that pose an unacceptable risk to federal networks. CISA will monitor agency compliance and provide technical assistance as agencies implement the required actions.

“CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require immediate action.”

CISA , verbatim from source
Why this matters

Federal civilian agencies operating Cisco SD-WAN infrastructure should treat ED 26-03 as a binding compliance obligation with immediate effect. Network teams should verify whether their SD-WAN deployments are in-scope for the inventory requirement, collect required artifacts before patching to preserve forensic data, and cross-reference their systems against the two specific CVEs cited. The joint international guidance from Five Eyes partners indicates this threat activity is ongoing at scale, not isolated to a single federal network.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by CISA on cisa.gov . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .
View original document View source feed page

What changed

CISA issued Emergency Directive 26-03 directing all Federal Civilian Executive Branch agencies to take immediate action to secure Cisco SD-WAN systems against known vulnerabilities. The directive mandates five required actions: inventory all in-scope systems, collect virtual snapshots and logs, patch for specific CVEs, hunt for compromise indicators, and implement Cisco's hardening guide.

Federal civilian agencies must treat this directive as binding compliance obligations. Network defenders should coordinate with international partners including NSA, Australian ACSC, Canadian Cyber Centre, NZ NCSC-NZ, and UK NCSC-UK who co-authored related threat hunt guidance. CISA will actively monitor compliance and agencies should expect technical assistance requests to be processed accordingly.

What to do next

  1. Inventory all in-scope Cisco SD-WAN systems
  2. Collect artifacts including virtual snapshots and logs of SD-WAN systems
  3. Patch Cisco SD-WAN systems including for CVE-2026-20127 and CVE-2022-20775
  4. Hunt for evidence of compromise
  5. Implement hardening measures as outlined in Cisco's Catalyst SD-WAN Hardening Guide

Archived snapshot

Apr 20, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Press Release

Immediate Action Required: CISA Issues Emergency Directive to Secure Cisco SD-WAN Systems

Malicious Cyber Threat Actors Threaten Federal Networks Released

February 25, 2026

Related topics: Cybersecurity Best Practices WASHINGTON — The Cybersecurity and Infrastructure Security Agency (CISA) today issued Emergency Directive (ED) 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems and Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems, in response to a significant cyber threat targeting federal networks utilizing certain Cisco systems and software. CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require immediate action.

“CISA remains unwavering in its commitment to protect our federal networks from malicious cyber threat actors despite the multi-week government shutdown of the Department of Homeland Security (DHS),” said CISA Acting Director Dr. Madhu Gottumukkala. “Operational disruptions create strain and uncertainty, give our adversaries unnecessary advantages, and forces our frontline cybersecurity experts to carry out critical work without pay. **** Based on collaboration with international partners and CISA’s forensic analysis, the ease with which these vulnerabilities can be exploited demands immediate action from all federal agencies. We urge all entities to implement the measures outlined in this Emergency Directive without delay. CISA leadership and all (excepted) staff remain committed to fulfilling our mission while protecting the American people.”

In response to this threat, CISA released an Alert along with joint guidance, Cisco SD-WAN Threat Hunt Guide, based on investigative data, to support network defenders’ detection of and response to the malicious actors’ threat activity. Authoring agencies include:

  • United States National Security Agency (NSA)
  • United States Cybersecurity and Infrastructure Security Agency (CISA)
  • Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
  • Canadian Centre for Cyber Security (Cyber Centre)
  • New Zealand National Cyber Security Centre (NCSC-NZ)
  • United Kingdom National Cyber Security Centre (NCSC-UK) CISA and the authoring organizations strongly urge network defenders to immediately:

1) Inventory: all in-scope Cisco SD-WAN systems.

2) Collect artifacts: including virtual snapshots and logs of SD-WAN systems.

3) Patch: Cisco SD-WAN systems, including for CVE-2026-20127 and CVE-2022-20775.

4) Hunt: for evidence of compromise.

5) Implement: as outlined in Cisco’s Catalyst SD-WAN Hardening Guide and review their blog.

As agencies implement these requirements, CISA will monitor compliance, provide technical assistance, and deliver additional resources as needed. This directive underscores CISA’s commitment to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian networks.

For required actions and implementation details, review Emergency Directive 26-03 on https://www.cisa.gov/news-events/directives.

About CISA

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X , Facebook , LinkedIn , Instagram .

Related Articles

Feb 13, 2026

Press Release

CISA Announces New Town Halls to Engage with Stakeholders on Cyber Incident Reporting for Critical Infrastructure

Feb 11, 2026

Press Release

CISA’s 2025 Year in Review: Driving Security and Resilience Across Critical Infrastructure

Feb 05, 2026

Press Release

CISA Orders Federal Agencies to Strengthen Edge Device Security Amid Rising Cyber Threats

Jan 28, 2026

Press Release

CISA Urges Critical Infrastructure Organizations to Take Action Against Insider Threats

Named provisions

Mitigate Vulnerabilities in Cisco SD-WAN Systems

Related changes

Favicon for www.nist.gov Firmware-Based Monitoring for Bus-Based Computer Systems
Routine Apr 17, 2026 NIST Publications Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA Adds Eight Known Exploited Vulnerabilities to Catalog
Routine Apr 20, 2026 US CISA Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA Adds Apache ActiveMQ Code Injection Vulnerability CVE-2026-34197 to Known Exploited Vulnerabilities Catalog
Urgent Apr 17, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity

Get daily alerts for US CISA News

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cisa.gov
US CISA News cisa.gov/news-events/news
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CISA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CISA
Published
February 25th, 2026
Instrument
Rule
Branch
Executive
Joint with
NSA ASD's ACSC Cyber Centre NCSC-NZ NCSC-UK
Legal weight
Binding
Stage
Final
Change scope
Substantive
Document ID
ED 26-03

Who this affects

Applies to
Government agencies
Industry sector
9211 Government & Public Administration
Activity scope
Network vulnerability remediation Incident response Patch management
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Telecommunications

Browse Categories

Agriculture & Food Safety 73 Banking & Finance 406 Consumer Protection 89 Courts & Legal 411 Data Privacy & Cybersecurity 89 Defense & National Security 53 Education 55 Energy 100 Environment 151 Gaming 2 Government & Legislation 430 Healthcare 15 Healthcare & Life Sciences 375 Immigration 10 Insurance 75 Labor & Employment 132 Pharma & Drug Safety 21 Professional Licensing 7 Real Estate & Housing 77 Securities & Markets 153 Tax 78 Telecom & Technology 50 Trade & Sanctions 141 Transportation 91

Get alerts for this source

We'll email you when US CISA News publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!