CISA Emergency Directive: Federal Agencies Must Patch Cisco SD-WAN by Feb 27 — Full Compliance Guide
CISA has ordered all federal agencies to patch Cisco SD-WAN systems by February 27, 2026. Here's the complete compliance checklist, detection steps, and what private sector organizations should do immediately.
The Clock Is Ticking: CISA Deadline Hits Today
February 27, 2026 — the deadline set by CISA's Emergency Directive 26-03 for all Federal Civilian Executive Branch (FCEB) agencies to patch Cisco SD-WAN systems against CVE-2026-20127. If you haven't patched yet, you're already in violation.
This article covers the full compliance timeline, step-by-step remediation, and why private sector organizations should treat this with equal urgency.
Related: CVE-2026-20127: Critical Cisco SD-WAN Zero-Day Exploited Since 2023 — our deep-dive into the vulnerability itself.
What CISA ED 26-03 Requires
The directive mandates three actions for all FCEB agencies:
1. Inventory All Cisco SD-WAN Assets
Agencies must identify every instance of:
- Cisco Catalyst SD-WAN Controller (vSmart)
- Cisco SD-WAN Manager (vManage)
- Cisco SD-WAN Validator (vBond)
- Cisco SD-WAN Edge routers running IOS XE SD-WAN
# SNMP-based discovery of Cisco SD-WAN devices
snmpwalk -v3 -u monitoring -l authPriv \
-a SHA -A "authpass" \
-x AES -X "privpass" \
<management_ip> 1.3.6.1.2.1.1.1.02. Apply Patches or Mitigations
Cisco released patches on February 25, 2026:
| Product | Fixed Version | Advisory | |---------|--------------|----------| | SD-WAN Controller (vSmart) | 20.15.2 | cisco-sa-sdwan-auth-bypass-2026 | | SD-WAN Manager (vManage) | 20.15.2, 20.14.3 | cisco-sa-sdwan-auth-bypass-2026 | | SD-WAN Validator (vBond) | 20.15.2 | cisco-sa-sdwan-auth-bypass-2026 |
If patching immediately isn't possible, CISA allows temporary mitigations:
- Restrict management plane access to a dedicated out-of-band network
- Implement ACLs to block untrusted traffic to ports 443/8443
- Enable enhanced audit logging on all SD-WAN management interfaces
3. Report Compromise Indicators
Agencies must check for indicators of compromise and report any findings to CISA within 72 hours.
Step-by-Step Compliance Checklist
Phase 1: Discovery (Immediate)
# Export device inventory from vManage
curl -k -X GET "https://vmanage:8443/dataservice/device" \
-H "Content-Type: application/json" \
-H "Cookie: JSESSIONID=$SESSION" | jq '.data[] | {hostname, version: .version, model: .deviceModel}'Check current software versions against the vulnerable range:
- Vulnerable: All versions prior to 20.15.2
- Vulnerable: 20.14.x prior to 20.14.3
- Not affected: SD-WAN running in controller-less mode
Phase 2: Network Isolation (Within 4 Hours)
Before patching, isolate management interfaces:
! ACL to restrict vManage access
ip access-list extended SDWAN-MGMT-RESTRICT
permit tcp host <admin_workstation> host <vmanage_ip> eq 8443
permit tcp host <monitoring_server> host <vmanage_ip> eq 443
deny tcp any host <vmanage_ip> eq 8443 log
deny tcp any host <vmanage_ip> eq 443 log
permit ip any anyPhase 3: Patch Deployment
Follow Cisco's recommended upgrade path:
- Backup vManage configuration and database
- Stage the software image on vManage
- Upgrade vManage first (cluster mode: one node at a time)
- Upgrade vSmart controllers
- Upgrade vBond orchestrators
- Verify overlay connectivity after each step
# Verify patch version after upgrade
show version | include Version
# Expected: 20.15.2 or 20.14.3Phase 4: Compromise Assessment
Check for known IOCs from UAT-8616:
# Check for unauthorized admin accounts
show running-config | include username
# Check for suspicious API tokens
curl -k -X GET "https://vmanage:8443/dataservice/admin/user" \
-H "Cookie: JSESSIONID=$SESSION" | jq '.data[] | select(.group == "netadmin")'
# Audit recent configuration changes
show sdwan running-config audit-log | include "last 72 hours"Look for:
- Admin accounts you didn't create
- API tokens with
netadminprivileges from unknown sources - Configuration changes outside maintenance windows
- Unexpected tunnel endpoints in the overlay
Why Private Sector Should Act Now
CISA directives technically apply only to federal agencies. But here's why everyone should treat this as urgent:
UAT-8616 is not just targeting government. Threat intelligence reports indicate the group has exploited this vulnerability across:
- Telecommunications providers
- Railway and transportation networks
- Energy and utilities infrastructure
- Large enterprise SD-WAN deployments
If you run Cisco SD-WAN in any capacity, assume you're a target.
Monitoring with SNMP After Patching
After applying patches, set up continuous monitoring:
# Monitor vManage system health via SNMP
snmpwalk -v3 -u monitor -l authPriv \
-a SHA256 -A "StrongAuth!" \
-x AES256 -X "StrongPriv!" \
<vmanage_ip> 1.3.6.1.4.1.9.9.838
# Set up SNMP trap receiver for security events
snmptrapd -c /etc/snmp/snmptrapd.conf -Lf /var/log/sdwan-traps.logConfigure alerts for:
- Failed authentication attempts (>5 in 60 seconds)
- New admin user creation
- Configuration changes outside scheduled windows
- Certificate validation failures
Timeline of Events
| Date | Event | |------|-------| | ~2023 | UAT-8616 begins exploiting CVE-2026-20127 | | Feb 24, 2026 | Cisco publicly discloses vulnerability | | Feb 25, 2026 | CISA issues Emergency Directive 26-03 | | Feb 25, 2026 | Cisco releases patches (20.15.2, 20.14.3) | | Feb 27, 2026 | CISA patch deadline for FCEB agencies | | Mar 11, 2026 | Agencies must submit compliance attestation |
Key Takeaways
- Patch now — CVE-2026-20127 is CVSS 10.0 and actively exploited
- Isolate management planes if you can't patch immediately
- Check for IOCs — this has been exploited since 2023
- Private sector is also targeted — don't wait for a mandate
- Monitor continuously with SNMP and syslog after patching
FAQ
Is my organization affected if we don't use Cisco SD-WAN?
No. CVE-2026-20127 specifically affects Cisco Catalyst SD-WAN (formerly Viptela). Traditional Cisco routers without SD-WAN are not affected.
Can we just block internet access to vManage?
That's a temporary mitigation, not a fix. The vulnerability can be exploited from within the overlay network, not just from the internet. Patching is the only complete remediation.
How long does patching take?
For a typical vManage cluster (3 nodes) with 50-100 edge devices: plan for 4-6 hours. vManage upgrades take the longest; edge devices can be staged and scheduled.
What if we find IOCs?
Report immediately to CISA via their incident reporting portal. Preserve logs, take forensic images of affected systems, and engage your incident response team before attempting remediation.