The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Wednesday calling on federal civilian agencies to take immediate steps to secure Cisco Software-Defined Wide-Area Networking (SD-WAN) systems.
The agency said the directive comes in response to “a significant cyber threat targeting federal networks utilizing certain Cisco systems and software.”
CISA is requiring agencies using Cisco SD-WAN products to identify affected systems and report an initial inventory to CISA by 11:59 p.m. on Feb. 26, and then apply Cisco-provided updates addressing two vulnerabilities by 5 p.m. on Feb. 27, 2026.
“Based on collaboration with international partners and CISA’s forensic analysis, the ease with which these vulnerabilities can be exploited demands immediate action from all federal agencies,” said Madhu Gottumukkala, CISA’s acting director, in a press release.
“We urge all entities to implement the measures outlined in this Emergency Directive without delay,” Gottumukkala added. “CISA leadership and all (excepted) staff remain committed to fulfilling our mission while protecting the American people.”
In addition to the emergency directive, CISA also released joint guidance, Cisco SD-WAN Threat Hunt Guide, with the National Security Agency and international partners – the Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre, and United Kingdom National Cyber Security Centre.
CISA and the authoring organizations strongly urged organizations to immediately identify Cisco SD-WAN systems; collect artifacts, including virtual snapshots and logs the systems; patch the systems; hunt for evidence of compromise; and implement Cisco’s guidance to harden the systems.
CISA also released supplemental threat hunt guidance and an alert to provide resources for organizations with Cisco SD-WAN systems.
The agency said it will monitor agencies’ progress as they implement the directive’s requirements, provide technical assistance, and deliver additional resources as needed.
“CISA remains unwavering in its commitment to protect our federal networks from malicious cyber threat actors despite the multi-week government shutdown of the Department of Homeland Security (DHS),” Gottumukkala said. “Operational disruptions create strain and uncertainty, give our adversaries unnecessary advantages, and [force] our frontline cybersecurity experts to carry out critical work without pay.”
DHS, CISA’s parent agency, has been shut down since Feb. 14. Prior to the shutdown, Gottumukkala warned that a shutdown would degrade CISA’s ability to provide “timely and actionable guidance to help partners defend their networks.”