.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
On February 25, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and UK National Cyber Security Centre warned that vulnerabilities affecting Cisco software-defined wide-area network (SD-WAN) systems (CVE-2026-20127 and CVE-2022-20775) are actively being exploited. CVE-2026-20127 can lead to a remote attacker bypassing authentication and obtaining administrative privileges on the affected system. CVE-2022-20775 could enable an authenticated local attacker to escalate their privileges.
The activity has been linked to ongoing malicious operations targeting federal networks. It poses a significant security risk due to the central role that SD-WAN technologies play in distributed network environments. CISA issued an emergency directive requiring agencies to take immediate attention to reduce exposure and evaluate systems for potential compromise.
Recommended actions
Counter Threat Unitâ„¢ (CTU) researchers recommend that all organizations identify vulnerable SD-WAN systems in their environments and apply mitigations outlined in the Cisco Talos advisory as appropriate.
Sophos protections
SophosLabs has developed the following IPS rules to detect activity associated with these threats:
- 65938 - SERVER-OTHER TRUFFLEHUNTER SFVRT-1058 attack attempt
- 65958 - SERVER-OTHER TRUFFLEHUNTER SFVRT-1058 attack attempt