CISA Emergency Directive to Mitigate Exploited Vulnerabilities in Cisco SD-WAN
CISA issued Emergency Directive ED 26-03 directing U.S. federal civilian executive branch (FCEB) agencies to mitigate vulnerabilities affecting Cisco SD-WAN systems, reflecting active risk to government networks and aligning with CISA’s broader push to drive rapid remediation of exploited flaws.
CISA’s Known Exploited Vulnerabilities (KEV) Catalog provides the operational backbone for this action by listing vulnerabilities confirmed as exploited in the wild and setting expectations for prioritized patching and mitigation; ED 26-03 is consistent with the KEV-driven approach of requiring agencies to identify affected assets and remediate within mandated timelines to reduce exposure from real-world exploitation.
Sources
Related Stories
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, urging organizations to prioritize remediation and reminding U.S. Federal Civilian Executive Branch (FCEB) agencies that **BOD 22-01** requires fixes by mandated due dates. The newly added KEVs are **CVE-2017-7921** (Hikvision improper authentication), **CVE-2021-22681** (Rockwell insufficiently protected credentials), and three Apple issues: **CVE-2021-30952** (integer overflow/wraparound), **CVE-2023-41974** (iOS/iPadOS use-after-free), and **CVE-2023-43000** (use-after-free affecting multiple Apple products). CISA emphasized that KEV-listed flaws are common attack vectors and represent elevated risk, even for non-federal organizations. CISA’s public *kev-data* repository reflects the same update, increasing the catalog count from **1531 to 1536** and recording a remediation **due date of 2026-03-26** for at least **CVE-2017-7921** (with required action to apply vendor mitigations or discontinue use if unavailable). Separately, Cisco Talos published a 2025 CVE retrospective that provides broader context on the growing volume of vulnerabilities and KEV additions, noting a year-over-year increase in KEVs and highlighting persistent exploitation of older CVEs; however, it does not add incident-specific details about the five newly listed KEVs beyond reinforcing the operational importance of patching and compensating controls for unpatchable systems.
1 weeks agoCISA Adds WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox Vulnerabilities to KEV Catalog
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include three newly identified vulnerabilities: an out-of-bounds write in WatchGuard Firebox OS (`CVE-2025-9242`), a race condition in the Microsoft Windows kernel (`CVE-2025-62215`), and improper access control in Gladinet Triofox (`CVE-2025-12480`). These vulnerabilities have been added due to evidence of active exploitation, with risks ranging from remote code execution on network appliances to privilege escalation on Windows systems and unauthorized access to sensitive setup functions in Triofox. CISA emphasizes the critical nature of these flaws and urges immediate patching and mitigation to prevent exploitation. Federal Civilian Executive Branch (FCEB) agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by the specified deadlines, but CISA also strongly recommends that all organizations prioritize addressing these issues as part of their vulnerability management programs. The addition of these CVEs to the KEV Catalog highlights their significance as attack vectors and the ongoing threat they pose to both government and private sector networks. Organizations should verify their exposure and apply all relevant security updates without delay.
4 months ago
Cisco Catalyst SD-WAN Exploitation Advisory and KEV Additions
Government and industry reporting highlighted active exploitation of **Cisco Catalyst SD-WAN** vulnerabilities, with an NCSC-and-partners advisory calling attention to real-world abuse and operational guidance for defenders. Related coverage also pointed to U.S. **CISA** adding **Cisco SD-WAN** issues to the **Known Exploited Vulnerabilities (KEV)** catalog and reporting that attackers have leveraged a Cisco SD-WAN zero-day since 2023 to obtain **full administrative control**, reinforcing the need for rapid patching, exposure reduction, and validation of device configurations and access controls. Other items in the provided material were not part of this specific SD-WAN exploitation story: one was a general newsletter roundup that aggregates many unrelated security headlines, another was a generic IoT security advice article using mixed examples (including an AVTECH camera CVE and Colonial Pipeline), and another was a conference write-up focused on Linux filesystem journal forensics tooling (*FJTA*) rather than a specific incident or vulnerability exploitation campaign.
2 weeks ago