A vulnerability in Cisco’s SD-WAN platform just earned the worst score possible: a perfect 10.0 out of 10.0 on the Common Vulnerability Scoring System. Attackers are already exploiting it. And as of June 2026, every federal civilian agency in the United States has been ordered to drop what it’s doing and patch.
The Cybersecurity and Infrastructure Security Agency published Emergency Directive 26-03 in May 2026, a binding order that compels federal agencies to identify vulnerable systems, preserve logs, apply Cisco’s software updates, and follow supplemental threat-hunting guidance the agency released alongside the directive. CISA also added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, which lists entries by their CVE identifier, confirming that real-world attacks are underway. The specific CVE number associated with this vulnerability has not yet been named in the publicly accessible government notices.
FedRAMP, the federal cloud authorization program run by the General Services Administration, followed with its own notice extending the same obligations to every cloud service provider operating under federal authorization. The program’s language left no room for ambiguity: “This is a real emergency.”
Why a 10.0 matters more here than usual
A CVSS score of 10.0 means the flaw can be exploited remotely, requires no authentication, and hands an attacker full control of the target. That alone would be serious in any product. In SD-WAN infrastructure, it is especially dangerous.
SD-WAN platforms act as the central nervous system for modern enterprise networks. They route traffic between branch offices, data centers, and cloud workloads, deciding how data moves across an organization. An attacker who owns the SD-WAN layer can see virtually everything crossing the network, redirect traffic, intercept sensitive data, or shut down connectivity entirely. For federal agencies, that could mean exposure of classified or controlled unclassified information, disruption of critical services, or a persistent foothold that survives endpoint-level remediation.
Cisco’s SD-WAN products are widely deployed across government and the private sector. While exact figures on federal adoption have not been published, Cisco has historically held a dominant share of U.S. government networking contracts, making the blast radius of this vulnerability potentially enormous.
What the directive requires
Emergency Directive 26-03 targets federal civilian executive branch agencies and the cloud providers that serve them. The required actions break down into four steps, each with a compliance timeline:
- Inventory: Identify every Cisco SD-WAN system in the environment, including instances that may be managed by third parties or embedded in shared-service platforms.
- Log preservation: Collect and retain relevant logs so investigators can reconstruct attacker activity if a compromise is discovered later.
- Patching: Apply the latest Cisco software updates to close the vulnerability.
- Threat hunting: Follow CISA’s supplemental guidance to actively search for signs that attackers have already gained access.
For FedRAMP-authorized cloud providers, the notice ties ongoing authorization to timely compliance. Providers that fail to act risk findings during FedRAMP assessments, with potential consequences for their standing in the federal marketplace. They must also coordinate with federal customers to clarify who is responsible for each step under shared responsibility models.
CISA reserves the emergency directive mechanism for threats that pose an immediate, serious risk to federal information systems. The agency has issued only a handful of these orders in any given year, which underscores how seriously it views this particular flaw.
What we still don’t know
Despite the urgency of the directive, several critical details remain missing from the public record.
The specific CVE identifier tied to this vulnerability has not been named in the FedRAMP notice or the publicly accessible portions of the CISA directive page. Without a CVE number, security teams at non-federal organizations cannot easily cross-reference their own vulnerability scanners or confirm whether their particular Cisco SD-WAN version is affected. CISA’s KEV catalog typically lists each vulnerability by its CVE identifier, so the catalog entry, once fully public, should provide that reference point.
Cisco has not issued a public statement, at least not one referenced in the government notices, detailing which product versions carry the flaw, what the attack vector looks like in practice, or whether the available patches fully resolve the issue. That gap is significant because many enterprises run older SD-WAN firmware that may require staged upgrades before a patch can be applied. The directive says to “apply Cisco updates,” but the practical difficulty of doing so varies widely depending on hardware generation and deployment architecture.
CISA has also not disclosed how many systems have been compromised, which threat actors are behind the exploitation, or whether the attacks are targeting specific sectors. Attribution and scope details often emerge weeks or months after an initial directive, if they become public at all.
What private-sector organizations should do now
The directive is legally binding only for federal agencies and FedRAMP-authorized providers. But any organization running Cisco SD-WAN should treat this as a fire alarm, not background noise.
A 10.0 CVSS score with confirmed active exploitation means attackers have a reliable, unauthenticated path to full system control. Waiting for a CVE number or a Cisco advisory before acting is a gamble. Organizations outside the federal ecosystem should begin inventorying their Cisco SD-WAN deployments immediately, monitor Cisco’s security advisory page for updates, and tighten access controls around SD-WAN management interfaces as an interim measure.
Increasing monitoring on network segments that touch SD-WAN infrastructure is also prudent. If attackers are already inside, the signs are more likely to appear in traffic anomalies and unexpected configuration changes than in endpoint alerts. Security teams should also rehearse incident response plans that assume a successful compromise of routing infrastructure, a scenario many organizations have never specifically planned for.
CISA’s supplemental hunting guidance, while written for federal environments, contains detection logic and hardening steps that are broadly applicable. Non-federal teams would benefit from reviewing it even before Cisco publishes its own detailed advisory.
Why this directive signals a shift in how Washington handles network-layer threats
Emergency directives have historically targeted endpoint software, email platforms, and identity systems. Issuing one for SD-WAN infrastructure reflects a growing recognition inside CISA that network-layer compromises are among the hardest to detect and the most damaging to recover from. An attacker embedded in routing infrastructure can persist through endpoint reimaging, evade EDR tools entirely, and manipulate traffic in ways that are invisible to application-layer monitoring.
The coordination between CISA and FedRAMP also sets a precedent. By extending the directive’s obligations to cloud providers through a parallel notice, the government is closing a gap that has existed in previous emergency directives, where cloud environments sometimes fell into a gray area between agency responsibility and provider responsibility. That clarity benefits both sides: agencies know their cloud partners are being held to the same standard, and providers have an unambiguous mandate they can use to justify emergency maintenance windows to their customers.
For now, the clock is ticking. Federal agencies and their cloud providers are working against hard deadlines with incomplete information, a familiar position in cybersecurity but one that carries unusually high stakes when the vulnerability in question sits at the foundation of the network itself.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
