A vulnerability carrying the highest possible severity score – tracked as CVE-2025-20188 – is being actively exploited in Cisco SD-WAN controllers, the systems that govern how traffic flows across some of the largest enterprise and government networks in the country. In late May 2026, the Cybersecurity and Infrastructure Security Agency responded by issuing Emergency Directive 26-03, a binding legal order that compels every federal civilian agency to patch or isolate affected equipment on a compressed timeline. CISA followed that with supplemental guidance directing agencies to actively hunt for signs that attackers have already gained a foothold.
Emergency directives are among the most forceful tools in CISA’s arsenal. The agency has issued only a handful since the authority was established, reserving them for situations where exploitation is confirmed and normal patch cycles are too slow to contain the damage. The fact that ED 26-03 landed alongside a parallel emergency notice from FedRAMP, the program that certifies cloud products for government use, signals that the threat extends well beyond individual agency data centers and into the cloud infrastructure that supports federal operations.
Why a CVSS 10.0 matters here
The Common Vulnerability Scoring System tops out at 10.0, and flaws that reach that ceiling share a specific profile: they can be exploited remotely, require no authentication, and need no interaction from the victim. In practical terms, an attacker who can reach a vulnerable Cisco SD-WAN controller over the network can gain full administrative access without a username, password, or any action from a legitimate user.
That access is not limited to a single router or branch office. SD-WAN controllers function as the central brain of a software-defined wide-area network. They dictate how traffic is routed between headquarters, branch locations, data centers, and cloud environments. An attacker with admin-level control of the controller can redirect data flows, intercept communications, push malicious configuration changes to every edge device the controller manages, and potentially maintain persistent access even after individual endpoints are cleaned up.
For organizations unfamiliar with the term, SD-WAN replaced the older model of buying dedicated private circuits between offices. Instead, it uses software to intelligently route traffic across cheaper internet connections, MPLS links, or both. The controller is the piece that makes routing decisions for the entire network, which is exactly why compromising it gives an attacker outsized leverage.
What CISA is ordering and why
ED 26-03 lays out two tracks. The first is immediate remediation: agencies must apply Cisco’s patches or, where patching is not yet possible, isolate vulnerable controllers from the internet and from untrusted network segments. The directive sets tight reporting deadlines, and the language makes clear that noncompliance is a violation of federal cybersecurity policy with potential consequences for agency leadership.
The second track is the supplemental hunting and hardening guidance. CISA is telling agencies not to assume that patching alone resolves the problem. Defenders are directed to search their Cisco SD-WAN infrastructure for indicators of compromise, review access control lists, rotate administrative credentials, and lock down management interfaces so they are reachable only from trusted networks. The two-stage approach reflects a concern that attackers may have exploited the flaw before the directive was issued and could retain access through persistence mechanisms that survive a straightforward software update.
FedRAMP’s notice extends those obligations to cloud service providers holding federal authorizations. Providers that rely on Cisco SD-WAN infrastructure to deliver services to government customers must now demonstrate that they have patched, hunted, and hardened on the same accelerated schedule. FedRAMP does not issue emergency notices for every CISA advisory; the dedicated publication for ED 26-03 confirms that the vulnerability has direct implications for the government’s cloud supply chain.
What is still unclear
CISA has confirmed active exploitation, noting in the directive that the vulnerability has been added to its Known Exploited Vulnerabilities (KEV) catalog, which obligates federal agencies to remediate within the timelines specified by Binding Operational Directive 22-01. However, the agency has not disclosed how many organizations have been compromised, which sectors have been hit, or whether the activity is linked to a known threat group. That gap leaves defenders outside the federal government estimating their own risk based on the severity score and the emergency classification rather than on detailed threat intelligence.
Cisco’s public patch guidance and the specific software versions affected have not been fully detailed in the directive documents themselves. SD-WAN deployments often span dozens or hundreds of sites, and upgrading controller software in production environments typically requires maintenance windows, testing, and coordination that can stretch over weeks. Organizations running Cisco SD-WAN should treat all controllers as potentially vulnerable until they can verify their software version against Cisco’s own security advisory.
There is also no public timeline for how long adversaries may have had access before CISA acted. If the vulnerability was weaponized weeks or months earlier, attackers could have established footholds that patching alone will not remove. That possibility is precisely why the supplemental guidance emphasizes active threat hunting rather than treating the patch as a finish line.
What private-sector teams should do now
The directive binds federal civilian agencies, but the underlying risk applies to any organization running Cisco SD-WAN controllers. CISA’s supplemental guidance provides a framework that private-sector network teams can adopt directly:
- Inventory every Cisco SD-WAN controller in the environment and verify its software version against Cisco’s published advisory.
- Restrict management interfaces so they are not reachable from the public internet or from untrusted network segments.
- Rotate all administrative credentials on SD-WAN controllers and any systems that share those credentials.
- Review logs and configurations for anomalous changes, unexpected admin accounts, or unfamiliar API calls to the controller.
- Patch immediately where possible; isolate where patching requires a longer maintenance window.
Security leaders should also read the directive as a signal about where attackers are focusing. SD-WAN controllers are attractive because they offer centralized authority over distributed infrastructure. If threat actors are actively exploiting a maximum-severity flaw in this layer, similar orchestration platforms and network management tools are likely facing the same scrutiny. Treating this as an isolated Cisco problem would miss the broader pattern: control-plane systems are high-value targets, and defenders need to prioritize them accordingly.
A stress test for enterprise incident readiness
The coordinated response from CISA and FedRAMP also serves as a real-world benchmark for how quickly organizations can move when a critical flaw surfaces. How fast can your team inventory affected systems, apply mitigations, hunt for compromise, and report status to leadership or regulators? Agencies bound by ED 26-03 are answering that question under legal obligation as of June 2026. Every organization running complex network infrastructure should be asking itself the same thing before the next emergency directive, whether federal or industry-specific, arrives with their name on it.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
