Attackers have been exploiting a pair of zero-day vulnerabilities in Cisco’s network edge software for at least three years, and the global campaign is ongoing, authorities said across a series of warnings released Wednesday.
The Cybersecurity and Infrastructure Security Agency issued an emergency directive about the global attacks and issued joint guidance with the Five Eyes to help defenders respond and hunt for evidence of compromise.
This marks the second series of multiple actively exploited zero-day vulnerabilities in Cisco edge technology since last spring. Both campaigns resulted in CISA emergency directives months after the attacks were first detected, and both attack sprees were underway for at least a year before they were identified.
Authorities refrained from attributing the attacks to any nation state or threat group. Cisco Talos researchers assigned the exploits and post-compromise activity to UAT-8616, which they only described as a “highly sophisticated threat actor.”
The activity cluster’s “attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors to establish persistent footholds into high-value organizations including critical infrastructure sectors,” Cisco Talos said in a threat advisory.
Malicious activity linked to this campaign is far reaching and attackers have exploited vulnerabilities in targeted systems to access and potentially compromise federal networks, Nick Andersen, CISA’s executive assistant director for cybersecurity, said during a media briefing Wednesday.
Andersen declined to say when CISA was first aware of this activity and did not provide details about potential victims, adding that officials are working through the beginning stages of mitigation.
In the jointly issued threat hunt guide, the Five Eyes said all members were aware that the most recent zero-day — CVE-2026-20127 — was identified and confirmed actively exploited in late 2025. Officials and Cisco did not explain why it took at least two months to disclose and patch the vulnerability, and share emergency mitigation guidance.
Attackers are gaining full control of a system in a chain by exploiting CVE-2026-20127 to bypass authentication, then downgrading software to a version vulnerable to CVE-2022-20775 to escalate privileges, said Douglass McKee, director of vulnerability intelligence at Rapid7.
“That second step allows them to move from administrative control to root on the underlying operating system. That downgrade step shows deliberate knowledge of product versioning and patch history,” he told CyberScoop. “This is not opportunistic scanning. This is structured tradecraft.”
CISA added CVE-2022-20775 and CVE-2026-20127 to its known exploited vulnerabilities catalog Wednesday.
The three-year gap between known initial attacks and detected exploitation of the zero-days showcases the attackers’ surgical use of vulnerabilities and the highly targeted nature of their campaign, said Ben Harris, founder and CEO of watchTowr.
The timeline and known attack path also indicates operational discipline that allowed attackers to maintain long-term access in critical network infrastructure without triggering alarms, McKee said. Those activities align “more closely with state-sponsored espionage tradecraft than financially motivated crime,” he added.
CISA’s emergency directive requires federal agencies to take inventory of all vulnerable Cisco SD-WAN systems, collect logs from those systems, apply Cisco’s security updates, hunt for evidence of compromise and follow Cisco’s guidance by Friday.
The latest campaign targeting Cisco network edge technology shares many similarities with another string of attacks officials and Cisco warned about in September. Those attacks, which involved at least two actively exploited zero-days, were underway for at least a year before they were first discovered in May.
Cisco did not answer questions about any potential connections between the campaigns. The vendor and officials have also thus far avoided sharing any details about what occurred behind the scenes during these sustained attacks.
A spokesperson for Cisco urged customers to upgrade software and follow guidance from its advisory.
Unfortunately, it’s too late for some Cisco SD-WAN customers to patch, Harris said. “Cisco’s advice to fully rebuild and look for prior signs of intrusion should be taken seriously.”
The post Governments issue warning over Cisco zero-day attacks dating back to 2023 appeared first on CyberScoop.
–
Read More – CyberScoop
