CISA Emergency Directive to Mitigate Exploited Vulnerabilities in Cisco SD-WAN
CISA issued Emergency Directive ED 26-03 directing U.S. federal civilian executive branch (FCEB) agencies to mitigate vulnerabilities affecting Cisco SD-WAN systems, reflecting active risk to government networks and aligning with CISA’s broader push to drive rapid remediation of exploited flaws.
CISA’s Known Exploited Vulnerabilities (KEV) Catalog provides the operational backbone for this action by listing vulnerabilities confirmed as exploited in the wild and setting expectations for prioritized patching and mitigation; ED 26-03 is consistent with the KEV-driven approach of requiring agencies to identify affected assets and remediate within mandated timelines to reduce exposure from real-world exploitation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CISA adds the vulnerability to its Known Exploited Vulnerabilities Catalog
CISA's Known Exploited Vulnerabilities Catalog reflected the Cisco SD-WAN issue as a known exploited vulnerability, signaling active exploitation and formal tracking for remediation prioritization.
CISA publishes supplemental hunt and hardening guidance
CISA released supplemental direction for ED 26-03 with hunt and hardening guidance for Cisco SD-WAN systems to support detection and defensive measures.
CISA issues ED 26-03 on Cisco SD-WAN vulnerabilities
CISA published Emergency Directive 26-03 directing mitigation of vulnerabilities affecting Cisco SD-WAN systems, indicating the issue required urgent federal action.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Known Exploited Vulnerabilities Catalog | CISA
cisa.gov
Open sourceED 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems | CISA
cisa.gov
Open sourceSupplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Orders Hunt for Cisco Device Compromise as New Exploited CVEs Mount
CISA issued **Emergency Directive 25-03** ordering federal civilian agencies to identify and mitigate potential compromise of Cisco devices, then followed with supplemental guidance covering core-dump collection and threat-hunting steps. The directive indicates concern that Cisco infrastructure may already have been breached and requires agencies to validate device integrity, investigate for signs of compromise, and take remediation actions to reduce ongoing risk. At the same time, CISA continued expanding its **Known Exploited Vulnerabilities** catalog with numerous newly listed flaws, including `CVE-2026-33634`, `CVE-2026-5281`, `CVE-2026-32201`, `CVE-2026-3502`, `CVE-2026-33017`, `CVE-2026-20131`, `CVE-2026-3909`, `CVE-2026-1603`, `CVE-2026-21385`, `CVE-2026-22719`, `CVE-2026-2441`, and `CVE-2026-1281`, alongside older but still exploited issues such as `CVE-2025-40551`, `CVE-2025-20393`, `CVE-2025-15556`, `CVE-2024-43468`, `CVE-2023-48788`, `CVE-2021-44529`, and `CVE-2021-39935`. The combined actions show U.S. authorities escalating warnings that active exploitation is broadening across enterprise technologies, with network appliances, email platforms, and internet-facing systems remaining priority targets for defenders.
May 25, 2026
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, urging organizations to prioritize remediation and reminding U.S. Federal Civilian Executive Branch (FCEB) agencies that **BOD 22-01** requires fixes by mandated due dates. The newly added KEVs are **CVE-2017-7921** (Hikvision improper authentication), **CVE-2021-22681** (Rockwell insufficiently protected credentials), and three Apple issues: **CVE-2021-30952** (integer overflow/wraparound), **CVE-2023-41974** (iOS/iPadOS use-after-free), and **CVE-2023-43000** (use-after-free affecting multiple Apple products). CISA emphasized that KEV-listed flaws are common attack vectors and represent elevated risk, even for non-federal organizations. CISA’s public *kev-data* repository reflects the same update, increasing the catalog count from **1531 to 1536** and recording a remediation **due date of 2026-03-26** for at least **CVE-2017-7921** (with required action to apply vendor mitigations or discontinue use if unavailable). Separately, Cisco Talos published a 2025 CVE retrospective that provides broader context on the growing volume of vulnerabilities and KEV additions, noting a year-over-year increase in KEVs and highlighting persistent exploitation of older CVEs; however, it does not add incident-specific details about the five newly listed KEVs beyond reinforcing the operational importance of patching and compensating controls for unpatchable systems.
Mar 26, 2026
CISA Adds WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox Vulnerabilities to KEV Catalog
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include three newly identified vulnerabilities: an out-of-bounds write in WatchGuard Firebox OS (`CVE-2025-9242`), a race condition in the Microsoft Windows kernel (`CVE-2025-62215`), and improper access control in Gladinet Triofox (`CVE-2025-12480`). These vulnerabilities have been added due to evidence of active exploitation, with risks ranging from remote code execution on network appliances to privilege escalation on Windows systems and unauthorized access to sensitive setup functions in Triofox. CISA emphasizes the critical nature of these flaws and urges immediate patching and mitigation to prevent exploitation. Federal Civilian Executive Branch (FCEB) agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by the specified deadlines, but CISA also strongly recommends that all organizations prioritize addressing these issues as part of their vulnerability management programs. The addition of these CVEs to the KEV Catalog highlights their significance as attack vectors and the ongoing threat they pose to both government and private sector networks. Organizations should verify their exposure and apply all relevant security updates without delay.
Mar 21, 2026