A coalition of cybersecurity agencies from the United States and Australia has confirmed that hackers exploited a critical vulnerability in Cisco SD-WAN appliances to infiltrate networks worldwide, with activity dating back to at least 2023. The campaign, tied to the flaw tracked as CVE-2026-20127, allowed attackers to introduce rogue devices into targeted networks, gain root-level access, and maintain a persistent foothold that went undetected for months or longer. The joint disclosure, released on February 25, 2026, represents one of the most significant coordinated warnings about network infrastructure compromise in recent years.
How Attackers Chained Two Flaws for Deep Access
The attack campaign did not rely on a single vulnerability. According to the U.S. National Security Agency, actors exploited vulnerabilities, notably CVE-2026-20127, in Cisco SD-WAN systems to introduce a rogue peer, gain authenticated access, and establish persistent long-term presence. That sequence of steps gave intruders the ability to operate inside compromised networks as though they were legitimate administrators, a level of access that is exceptionally difficult to detect through standard monitoring because it blends into expected management traffic and control-plane activity.
The attackers then reportedly chained this initial exploit with an older privilege-escalation bug. According to the National Vulnerability Database, CVE-2022-20775 is a Cisco SD-WAN path traversal vulnerability that enables root access. The actor chain reportedly used this older flaw after downgrading the appliance software to a version still susceptible to it. CVE-2022-20775 already sits in CISA’s Known Exploited Vulnerabilities catalog, meaning defenders had prior warning about the risk. Yet the combination of a newer critical bug with a known older one created an attack path that many organizations apparently failed to anticipate or block, because traditional patch management does not always account for malicious downgrades or mixed-version clusters.
Rogue Peers and Silent Persistence
What makes this campaign particularly damaging is the post-exploitation tradecraft. According to the Australian Cyber Security Centre, the campaign involved post-exploitation steps including the introduction of a rogue peer, root access, and persistence mechanisms. A rogue peer, in the context of SD-WAN, means the attacker inserted a device or virtual node that the network treated as a trusted member of the infrastructure. From that position, the intruder could intercept traffic, manipulate routing, and move laterally without triggering conventional intrusion alerts, because the compromised device participated in legitimate overlay tunnels and control protocols.
The persistence element is equally concerning. SD-WAN appliances sit at the boundary between branch offices and centralized data centers, handling encrypted tunnels and traffic prioritization for entire enterprise networks. An attacker with root access and a persistent implant on such a device could quietly siphon data, redirect communications, or prepare for a larger disruption over an extended period. The fact that this activity stretched back to at least 2023 suggests that some victims may have been compromised for years before detection, giving adversaries ample time to map internal infrastructure, harvest credentials, and potentially pivot into sensitive business systems or operational technology environments.
Coordinated Government Response and Hunt Guidance
The scale of the threat prompted an unusually broad government response. CISA and partner agencies released detailed guidance on the ongoing exploitation of Cisco SD-WAN systems, emphasizing that the campaign is global in scope and affects both public and private networks. The NSA confirmed it joined ASD’s ACSC and other agencies to co-release both a cybersecurity alert and a related Hunt Guide specifically designed to help network defenders identify signs of compromise. That Hunt Guide, as referenced in the Australian advisory, directs defenders to Cisco security advisories, analysis from Cisco Talos, and additional vendor resources that outline affected product versions, configuration checks, and recommended hardening steps.
The Australian alert also provides an official mitigation checklist for affected organizations, including verification of control-plane peers, review of management access, and inspection of appliance integrity. Remediation for CVE-2022-20775 ties to CISA Emergency Directive 26-03, according to the National Vulnerability Database, and includes hunt and hardening guidance that U.S. federal agencies are required to follow. The directive signals that federal networks are being ordered to act, not merely advised, reflecting the perceived severity of the threat. For private-sector organizations running Cisco SD-WAN gear, the implication is clear: the same threat actors who targeted government and critical infrastructure networks had equal opportunity to compromise commercial deployments, managed service environments, and cloud-connected branch sites.
Why Legacy SD-WAN Gear Remains a Blind Spot
Most coverage of this campaign will focus on the specific CVEs involved, but the deeper problem is structural. SD-WAN appliances are often deployed at the network edge, managed by small IT teams at branch locations, and updated less frequently than servers or endpoints that sit in centralized data centers. When attackers can downgrade firmware to reintroduce a years-old vulnerability like CVE-2022-20775, they effectively turn the patching timeline against defenders. An organization might have applied every available update to its current software version and still be vulnerable if the attacker can force a rollback, especially in environments where legacy images remain accessible on internal repositories or where change control processes are loosely enforced.
This chaining technique, combining a new critical flaw with a previously patched older one through firmware manipulation, challenges the conventional assumption that patching a known vulnerability eliminates the risk. It does not, if an attacker with sufficient access can reverse the fix. The campaign should prompt security teams to audit not just whether their appliances are running current firmware, but whether downgrade protections and boot integrity checks are actually enforced through secure boot, signed images, and restricted administrative workflows. Without those controls, a patched device is only as secure as its oldest exploitable version, and adversaries can selectively regress specific nodes to vulnerable builds while leaving others on current code to avoid drawing attention.
Competing Accounts on the Primary Vulnerability
One point of tension in the official disclosures deserves attention. The Australian Cyber Security Centre’s alert ties the campaign directly to CVE-2026-20127 as the critical issue that enabled attackers to introduce rogue peers and gain authenticated access to Cisco SD-WAN environments. By contrast, the National Vulnerability Database entry for CVE-2022-20775 describes a path traversal flaw that becomes part of the actor’s chain only after the appliance software is downgraded to a vulnerable version. The NSA’s public statement highlights CVE-2026-20127 as a notable exploited vulnerability but does not provide exhaustive detail on every step in the intrusion chain, leaving room for interpretation about the relative weight of each flaw in different victim environments.
Rather than viewing these accounts as contradictory, defenders should treat them as complementary perspectives on a multi-stage intrusion. CVE-2026-20127 appears to function as the initial access vector that allows attackers to insert a rogue peer and obtain the level of control needed to manipulate software versions. CVE-2022-20775 then serves as a powerful escalation mechanism once that downgrade occurs, providing root access and enabling the installation of persistent tooling. The nuance in the public reporting underscores a broader lesson: modern infrastructure compromises rarely hinge on a single bug. Instead, they rely on chains of weaknesses, some newly discovered, some long known, that interact with operational gaps in patch management, configuration control, and monitoring.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
