Cisco Confirms Ongoing Exploitation of Critical SD-WAN Vulnerability

If you run large, distributed networks, this is the kind of headline that makes your stomach drop.

Cisco has confirmed that hackers have been exploiting a critical vulnerability in its Catalyst SD-WAN products since 2023. And not quietly in a lab somewhere—this has been happening in real-world enterprise environments.

The flaw carries a maximum CVSS severity score of 10.0, which is as serious as it gets. That score isn’t handed out lightly. It means the vulnerability is both highly exploitable and potentially devastating in impact.

Cisco says attackers have been actively using this bug to break into customer networks for at least three years before it was publicly disclosed.

That timeline matters. Three years is a long time for an attacker to move quietly.

How the Cisco Catalyst SD-WAN Bug Enables Remote Network Compromise

Remote Exploitation Over the Internet

The vulnerability allows attackers to exploit affected devices remotely over the internet. No insider access required. No complex chain of exploits.

Once exploited, attackers can gain the highest level of permissions on vulnerable devices.

And here’s what that really means: full administrative control.

Persistent, Hidden Access Inside Enterprise Networks

With elevated privileges, attackers can:

  • Maintain persistent access
  • Remain hidden inside the network
  • Monitor activity over time
  • Steal sensitive data
  • Conduct long-term espionage

This isn’t smash-and-grab cybercrime. It’s slow, deliberate infiltration.

Because Catalyst SD-WAN connects private networks across multiple locations, compromising one of these appliances can give attackers a powerful foothold across distributed enterprise infrastructure.

Think about what SD-WAN does. It connects offices, data centers, remote sites—sometimes across continents. If that layer is compromised, attackers are effectively inside the nervous system of the organization.

Impact on Large Enterprises and Critical Infrastructure

Cisco confirmed that some of the affected organizations fall under critical infrastructure sectors.

That term covers a wide range of industries, including:

  • Power grids
  • Water supply systems
  • Transportation networks
  • Government systems

When you read “critical infrastructure,” it’s not abstract. It’s the systems people rely on every day.

The fact that exploitation has been traced back to 2023 suggests attackers may have had long-term access to sensitive environments before discovery.

And in cybersecurity, dwell time—the length of time attackers remain undetected—is often where the real damage happens.

Global Government Warnings and CISA Emergency Directive

International Security Advisory

Governments including:

  • The United States
  • The United Kingdom
  • Australia
  • Canada
  • New Zealand

issued a joint alert warning that threat actors are targeting organizations globally through this vulnerability.

This wasn’t a routine patch notice. It was a coordinated, multi-government warning.

CISA Orders Immediate Patching of Federal Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) described the situation as posing an “imminent threat” and an unacceptable risk to federal networks.

CISA ordered all civilian federal agencies to patch affected Cisco SD-WAN systems by end-of-day Friday.

Importantly, the agency stated it is aware of ongoing exploitation.

That phrase—ongoing exploitation—tells you this isn’t theoretical. Attackers are still attempting to use this vulnerability.

Threat Actor Attribution and Activity Tracking

Neither Cisco nor government agencies publicly attributed the attacks to a specific nation-state or threat group.

However, one cluster of malicious activity has been tracked under the designation UAT-8616.

Attribution can take time. And sometimes it remains classified. But the absence of a named actor doesn’t reduce the severity of the threat.

The scale and duration of exploitation suggest a well-resourced and persistent adversary.

Context: Previous 10.0 Cisco Vulnerability Exploitation

This incident follows a previous warning in December about another 10.0-rated vulnerability in Cisco’s Async software, which runs across many Cisco products.

That vulnerability was also being actively exploited to breach customer networks.

When two maximum-severity vulnerabilities in widely deployed networking products are exploited in close succession, it raises broader questions about supply chain exposure and enterprise patch management discipline.

For organizations relying heavily on Cisco infrastructure, the pattern reinforces the need for continuous vulnerability monitoring and rapid remediation.

Why the Cisco SD-WAN Exploit Is a High-Risk Enterprise Security Issue

Several factors amplify the risk:

  • Maximum CVSS score (10.0)
  • Remote exploitability
  • Highest-level privilege access
  • Long-term, persistent access capability
  • Documented exploitation since 2023
  • Global targeting across sectors

When you combine long-term exploitation with devices that sit at the heart of enterprise connectivity, the potential blast radius grows fast.

This isn’t just a device-level issue. It’s a network-level security crisis.