Overview

On February 26, 2026, the Australian Cyber Security Centre (ACSC) published a critical alert titled "Exploitation of Cisco SD-WAN appliances," updated on March 6, 2026. The advisory addresses ongoing, global targeting of Cisco Software-Defined Wide Area Network (SD-WAN) technology and provides concrete mitigations for affected organizations.

Three CVEs are central to the advisory: CVE-2026-20127, CVE-2026-20128, and CVE-2026-20122.

What the Advisory Says Is Happening

According to the ACSC background section, malicious actors exploited an authentication bypass vulnerability in the Cisco Catalyst SD-WAN controller — tracked as CVE-2026-20127 — to gain initial access. From there, the attack chain unfolded in stages:

• Initial access via the authentication bypass in the SD-WAN controller.
• Rogue peer added to the SD-WAN environment, establishing a foothold that blends into normal network topology.
• Root access achieved, enabling long-term persistence described by ACSC as deeply embedded within the SD-WAN environment.

The March 6 update added that Cisco's Product Security Incident Response Team confirmed active exploitation of CVE-2026-20128 and CVE-2026-20122 as well, while noting that other CVEs in the related Cisco advisory were not known to have been compromised.

Why This Matters

Root access with long-term persistence is a qualitatively different problem from a standard patch-and-move-on vulnerability. When attackers reach this level of access, several complications follow:

• Persistence survives patching. Applying the CVE patches closes the initial entry point but does not automatically remove an attacker who has already established persistence through a rogue peer or modified system components.
• Trust boundaries are compromised. SD-WAN infrastructure is typically trusted by downstream systems and branch offices. If the SD-WAN layer is compromised, everything that relies on that trust boundary may need to be treated as potentially affected — not just the SD-WAN appliances themselves.
• Multiple CVEs extend the attack surface. The transition from one known exploited CVE to three means defenders cannot assume a single patch resolves their exposure. Each CVE requires separate confirmation that exploitation did not occur before the fix was applied.

Lessons Learned

As a cybersecurity student, this advisory reinforces several principles that are easy to underestimate until you see how an attack chain plays out across a real advisory:

• Patching is not the same as remediation. When attackers have achieved root and persistence, the remediation scope is much wider than the CVE patch. Organizations need to validate that persistence mechanisms were not left behind before considering an incident closed.
• SD-WAN is high-value infrastructure. Because SD-WAN connects branch offices and sits at a central trust boundary, compromising it gives attackers wide reach. Defenders should treat SD-WAN controllers with the same scrutiny as domain controllers or core routing infrastructure.
• Advisories evolve — track updates. The March 6 update changed the scope of this incident significantly. Security teams that only read the original February alert would have an incomplete picture. Subscribing to advisory update feeds is not optional for critical infrastructure.
• Government advisories are actionable. ACSC provided concrete mitigations, not just a list of CVEs. Reading the full advisory — not just the headline — is where the practical defensive value lives.