Australian and allied cyber security agencies have warned that malicious actors are actively targeting organisations’ SD-WAN infrastructure by exploiting a critical vulnerability in Cisco Catalyst controllers, prompting the Australian Government to issue a rare mandatory security direction across the Commonwealth.
The flaw, tracked as CVE-2026-20127, enables an authentication bypass in Cisco Catalyst SD-WAN controllers. According to a newly released joint advisory, attackers exploiting the vulnerability are able to insert a rogue peer into an SD-WAN overlay and escalate privileges to gain root-level access. Once established, that access can provide long-term persistence within affected environments.
In response to the identified risk, the Secretary of the Department of Home Affairs has issued a mandatory Direction to non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF). The move follows the identification of the critical vulnerabilities by the Australian Signals Directorate (ASD).
Under the Direction, by 28 February Commonwealth entities must:
• Account for any Cisco SD-WAN instances within their networks
• Apply required security updates immediately
• Investigate for any signs of compromise and report findings
• Prevent the use of unpatched versions, and remove the technology entirely if it cannot be securely updated
• Apply required security updates immediately
• Investigate for any signs of compromise and report findings
• Prevent the use of unpatched versions, and remove the technology entirely if it cannot be securely updated
The Direction states that these steps are necessary to protect the integrity and security of Australian Government systems, with the mandatory PSPF mechanism described as the most effective way to reduce the risk posed by the vulnerability.
ASD has also issued a critical alert regarding active exploitation of Cisco SD-WAN appliances and released a Cisco SD-WAN Threat Hunt Guide through the Australian Cyber Security Centre (ACSC). The guide was developed in close collaboration with international partners and is jointly authored and co-sealed by:
- United States National Security Agency (NSA)
- United States Cybersecurity and Infrastructure Security Agency (CISA)
- Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
- Canadian Centre for Cyber Security
- New Zealand National Cyber Security Centre
- United Kingdom National Cyber Security Centre
The guidance is designed to assist network defenders in identifying indicators of compromise, including rogue peer configurations, suspicious authentication activity and persistence mechanisms associated with exploitation of the vulnerability.
SD-WAN controllers occupy a strategic position in enterprise and government networks, managing connectivity across branch offices, cloud environments and data centres. Compromise at this layer can provide attackers with broad visibility and control, making remediation complex if not detected early.
While the mandatory direction applies specifically to non-corporate Commonwealth entities, officials have strongly recommended that other organisations review their exposure and implement the same mitigations. Unpatched Cisco SD-WAN systems are considered to pose a significant security risk, particularly given evidence of active targeting globally.
The coordinated advisory and the escalation to a formal PSPF Direction signal the seriousness with which authorities are treating the threat — and reflect a broader trend of adversaries increasingly targeting network infrastructure itself to establish durable footholds inside high-value environments.
