Connect with us

Critical Infrastructure Security

Governments issue warning over Cisco zero-day attacks dating back to 2023

Published

on

Authorities have issued urgent warnings regarding a prolonged global campaign exploiting zero-day vulnerabilities in Cisco network edge devices, with attacks dating back at least three years. The campaign, described as sophisticated and highly targeted, continues to pose a threat to critical infrastructure and high-value organizations worldwide.


Zero-Day Vulnerabilities Under Attack

The Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive Wednesday, alongside guidance from the Five Eyes intelligence alliance, alerting defenders to active exploitation of Cisco SD-WAN systems. The campaign represents the second wave of multiple zero-day attacks targeting Cisco edge technology since 2025, with both attack series remaining undetected for over a year before being publicly addressed.

The most recent zero-day, CVE-2026-20127, was confirmed as actively exploited in late 2025. Attackers reportedly used it to bypass authentication, followed by a software downgrade to an older vulnerable version (CVE-2022-20775) to escalate privileges. This technique allowed threat actors to gain full root access on targeted systems.

Douglas McKee, director of vulnerability intelligence at Rapid7, described the method as deliberate and highly structured, reflecting an advanced understanding of Cisco product versions and patch history. “This is not opportunistic scanning. This is structured tradecraft,” he said.


Sophisticated, Targeted Campaign

Cisco Talos researchers attribute the exploits to a threat actor cluster labeled UAT-8616, described as “highly sophisticated.” The attacks illustrate a continuing trend of targeting network edge devices to establish persistent access to sensitive networks.

Ben Harris, founder and CEO of watchTowr, emphasized the campaign’s surgical nature: attackers maintained long-term access for years without detection. The operation’s scope and precision align more with state-sponsored espionage than typical financially motivated cybercrime.


Emergency Mitigation and Guidance

CISA’s directive requires federal agencies to:

  • Inventory all vulnerable Cisco SD-WAN systems
  • Collect system logs
  • Apply the latest Cisco security updates
  • Hunt for signs of compromise
  • Follow Cisco’s guidance by the specified compliance deadline

Officials and Cisco have refrained from attributing the attacks to any specific nation-state or sharing details about affected organizations. A Cisco spokesperson urged all customers to upgrade software and follow the advisory recommendations promptly.

Some experts warn that patching alone may not be sufficient. Harris advised organizations to fully rebuild compromised systems and investigate prior intrusions to prevent lingering threats.


Implications for Cybersecurity

The campaign underscores the risks posed by long-standing vulnerabilities in critical network infrastructure and highlights the importance of continuous monitoring, rapid patch deployment, and proactive threat hunting.

CISA has added both CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities Catalog, signaling their significance for cybersecurity defenses.

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO