For decades, Cisco has positioned itself as a leader in network infrastructure. The company is one of the top providers of secure networking equipment that businesses and governments depend on. In recent months, that dominance is proving to be the company’s Achilles’ heel.
Since early 2026, security researchers have been tracking an ongoing series of attacks targeting vulnerabilities in Cisco SD-WAN. Those attacks appear to have impacted key government sites and critical infrastructure providers and have raised the anxiety level of authorities across the globe.
“Edge infrastructure remains one of the highest-value targets in enterprise security,” said Douglas McKee, director of vulnerability intelligence at Rapid7. “If you compromise SD-WAN or firewall management, you’re landing on policy, visibility, routing, segmentation, and, in many cases, administrative trust over a large swath of the environment.”
Cisco environments have become an increasingly important target by state-nexus and other top threat actors in recent years, due, in part, to the wide use of these tools in the most sensitive government and enterprise networks in the world.
During the 2024 campaign by China-nexus actor Salt Typhoon, the attacks leveraged access to Cisco devices to reach into major telecommunications providers.
Threats to critical sectors
The Cybersecurity and Infrastructure Security Agency in February issued an emergency directive warning that a threat actor was targeting an authentication bypass vulnerability, tracked as CVE-2026-20127, and a privilege-escalation flaw, tracked as CVE-2026-20775, in Cisco Catalyst SD-WAN systems.
Cisco Talos researchers in May said an authentication bypass vulnerability, tracked as CVE-2026-20182, was being targeted by a sophisticated threat actor tracked as UAT-8616.
Other threat actors chained together three vulnerabilities in Cisco Catalyst SD-WAN Manager, which allowed attackers to gain access to the device, Cisco Talos said. The chained vulnerabilities, CVE-2026-20133, CVE-2026-20122 and CVE-2026-20128, led to the release of web shells that allowed attackers to execute bash commands on a device.
Edge infrastructure remains one of the highest-value targets in enterprise security.

Douglas McKee
Director of vulnerability intelligence, Rapid7
Cisco products are frequently targeted due to their widespread use in government and enterprise networks, Jonathan Forest, a VP analyst at Gartner, said.
A software-defined wide-area network is a virtual technology used to connect various business locations, including cloud environments, data centers and branch locations. In an SD-WAN environment, users get a combination of efficient routing, security and load balancing.
Cisco Catalyst SD-WAN is often implemented in a customer’s own environment, which means customer security teams are largely responsible for patching their own software.
“The result can be delays in patching and vulnerabilities being exposed for an extended time, leaving it open for attackers,” said Forest.
Because Cisco products are so widely deployed, there’s a lot riding on their resilience and security.
“Due to that prevalence, their products often come under increased attack, since a single flaw can result in access to tons of downstream high-profile customers,” said TJ Sayers, senior director of threat intelligence at the Center for Internet Security.
Critical services
Hospitals and other healthcare facilities are highly dependent on technology provided by SD-WAN. They often rely upon distributed networks where a central hospital is connected to an off-site health clinic or data center, or use a cloud platform.
“When critical vulnerabilities emerge repeatedly in wide-area network infrastructure, it puts immense pressure on health sector IT security teams and the stakes are high,” Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center, told Cybersecurity Dive.
“If a cyberattack leverages an infrastructure flaw to cause a prolonged IT outage that disrupts emergency care, lab results, or medication management, care slows down, negatively impacting patient outcomes,” Weiss said.
Unauthorized peering
Mandiant, the incident response arm of Google Cloud, disclosed a March attack where a hacker exploited a zero-day vulnerability in Cisco Catalyst SD-WAN at a communications service provider to gain root-level access through a compromised administrative account. The vulnerability was later identified as CVE-2026-20245 and a patch was released.
Mandiant initially observed unauthorized peering connections to the service provider’s SD-WAN devices starting in late 2025, noting the possibility the hacker exploited CVE-2026-20127 or CVE-2026-20182, which had not been disclosed or patched at the time. It was later determined that the targeted device was not affected by either of the prior vulnerabilities.
Researchers said the March incident also involved unauthorized peering, which is the process of establishing a trusted digital connection between distinct network components, such as edge routers, regional hubs or central controllers. After gaining access, the hacker authenticated to the SD-WAN Manager and changed the password on the default administrator account.
Mandiant researchers said the hacker took numerous steps to cover up their forensic footprint, including deletion of all files created during the attack and restoring system configuration that were modified.
It is not immediately clear whether the hacker in the late 2025 incident and the March incident are the same.
“Mandiant suspected it might be a zero-day during its initial investigation, but deeper forensic analysis was required to confirm the exploit of a new flaw,” Pete Boonyakarn, senior cybersecurity consultant at Mandiant - Google Cloud, told Cybersecurity Dive.
When critical vulnerabilities emerge repeatedly in wide-area network infrastructure, it puts immense pressure on health sector IT security teams and the stakes are high.

Errol Weiss
CSO, Health ISAC
Highly targeted
The attacks against SD-WAN are not an entirely unique experience for Cisco, as the company’s networking and security products have been among the most targeted in recent years.
The Cybersecurity and Infrastructure Security Agency issued an emergency directive in September 2025 ordering federal civilian executive branch agencies to take immediate action to mitigate several vulnerabilities in Cisco devices.
The directive was linked to a sophisticated actor exploiting zero-day flaws in Cisco Adaptive Security Appliances and then further manipulating read-only memory to enable persistence that survived reboots. The same flaws were also discovered in Cisco Firepower devices.
At least 10 organizations globally had been compromised at the time of the disclosure, and that number was expected to increase over time.
The attacks were linked to a remote code execution flaw, tracked as CVE-2025-20333, and a privilege-escalation flaw tracked as CVE-2025-20362. The threat activity linked back to the Arcane Door campaign that began in early 2024.
The September incident drew the attention of Congress. In October 2025, Louisiana Sen. Bill Cassidy sent a letter to Cisco asking a list of specific questions about the potential impact on federal agencies and the larger public.
Cassidy, chair of the Senate Health, Education, Labor and Pensions Committee, said he was leading an investigation into the potential impact of cyber risk calling it a “grave national threat.”
“As the largest provider of network infrastructure in the world, Cisco holds a unique position in delivering not only to the federal government, but virtually all businesses,” Cassidy wrote in the letter.
Security governance
Despite its recent history of issues, Cisco is widely considered to be deliberate and thoughtful about the security of its products and the trust of its customers.
The company operates a Security and Trust Organization under the leadership of Chief Security and Trust Officer Anthony Grieco, according to the 2025 Cisco annual report. The company board of directors monitors cyber risk through an audit committee, and the committee meets with Grieco multiple times per year.
The board of directors and audit committee get more frequent updates in the event of cybersecurity incidents or threats. At the time the annual report was filed, Cisco did not believe its financial condition or operating results were materially impacted by cyber risk or any previously identified cyber issue.
Proactive measures
Cisco executives publicly acknowledged the rapidly changing threat landscape in recent years, and the company has programs designed to maintain the security of its product line.
“We have a red team that goes off and attacks our products proactively, trying to find vulnerabilities,” Grieco said during a panel discussion last month at the Cisco Live conference in Las Vegas.
However, Cisco executives understood they could not afford to rely on traditional measures to stop modern day threats. Cisco has recently embraced frontier AI models to push the boundaries of vulnerability scanning to a scope and scale the best human testers cannot achieve alone.
Cisco was a founding member of Project Glasswing and participated in private testing of Anthropic’s advanced Claude Mythos Preview.
Cisco used frontier AI to test 1.8 billion lines of code over a period of eight weeks, Grieco said in a June blog post. He noted the work would have taken the company’s security team about eight years to complete such a task.
Cisco officials understand that AI alone will not magically resolve all of their product vulnerabilities. Grieco said the company combined frontier LLMs with its own human-guided harness and was able to achieve a false positive rate of less than 3%.
“True AI-driven security is measured by actionable precision at scale, not by the count of vulnerabilities alone,” Grieco noted in the blog post.
The company has unveiled key changes in how it announces and prioritizes vulnerability disclosure.
Starting in July, Cisco moved to a twice-monthly disclosure model, beginning on the first and third Wednesday of each month, according to a blog post from Russ Smoak, Cisco’s vice president of information security.
The company has also shifted its disclosure model to emphasize critical vulnerabilities that are actively exploited or flaws that pose the highest risk of becoming exploited, Smoak said.