Governance & Risk Management
,
Government
,
Industry Specific
Emergency CISA Directive Lands as DHS Shutdown Strains Cyber Operations
The U.S. cyber defense agency has ordered civilian agencies to immediately secure vulnerable Cisco SD-WAN systems, warning that actively exploited flaws pose an “unacceptable risk” to civilian government networks already strained by the prolonged Department of Homeland Security shutdown.
See Also: New Trend in Federal Cybersecurity: Streamlining Efficiency with a Holistic IT Approach eBook
The Cybersecurity and Infrastructure Security Agency issued an emergency directive Wednesday after officials said threat actors are targeting some Cisco systems and software used across federal civilian branch agencies. The binding order requires agencies to inventory affected devices, collect forensic data, patch any known vulnerabilities and hunt for evidence of potential compromise.
The latest directive came amid a multi-week DHS shutdown that has placed additional strain on incident response and vulnerability management operations across the agency and its subdivisions. Acting CISA Director Madhu Gottumukkala said operational disruptions create uncertainty and give adversaries unnecessary advantages, even as some personnel continue mission-critical work without pay (see: CISA: DHS Funding Lapse Would Sideline Federal Cyber Staff).
Nick Andersen, executive assistant director for CISA’s cybersecurity division, said federal network defenders observed an unidentified threat actor actively exploiting the vulnerabilities and determined that waiting for the shutdown to end to release the guidance “was not an option.” He added that the agency will monitor compliance, offer technical assistance and issue additional guidance as needed to support efforts to mitigate the exploits across civilian networks.
The order requires agencies to patch the vulnerabilities – tracked as CVE-2026-20127 and CVE-2022-20775 – in Cisco SD-WAN deployments, which often serve as part of the infrastructure that provides connectivity between headquarters, regional offices, cloud workloads and remote operations. Officials also warned that successful exploitation of the newly discovered flaws could give threat actors a major foothold for persistence and lateral movement.
The directive requires agencies to inventory all Cisco SD-WAN systems and collect virtual snapshots and relevant log data before applying patches as part of an effort to preserve potential forensic evidence. CISA also tasked federal network defenders with conducting proactive threat hunting and implementing immediate hardening measures outlined in Cisco’s Catalyst SD-WAN guidance.
“The ease with which these vulnerabilities can be exploited demands immediate action from all federal agencies,” Gottumukkala said in a news release, adding that “CISA remains unwavering in its commitment to protect our federal networks from malicious cyberthreat actors despite the multi-week government shutdown.”
Security researchers noted how coordinated disclosures Wednesday from multiple government agencies focused on CVE-2026-20127, a vulnerability that enables authentication bypass in Cisco’s Catalyst SD-WAN Controller, can ultimately grant full administrative access.
“What makes this vulnerability stand out, though, is reports of exploitation since 2023 as a zero-day,” Ryan Dewhurst, who leads proactive threat intelligence for cybersecurity firm watchTowr, said in a statement to Information Security Media Group. “Unfortunately, this means that for users of Cisco’s Catalyst SD-WAN Controller, patching will not be enough, regardless of speed. Cisco’s advice to fully rebuild and look for prior signs of intrusion should be taken seriously.”