Alert essentials:
Hospitals worldwide are facing an urgent cybersecurity threat. A sophisticated threat actor dubbed UAT-8616 is actively targeting Cisco SD-WAN systems and exploiting critical vulnerabilities to gain deep access and control.
For healthcare IT and security teams, the message is clear: act now or risk catastrophic consequences.
Detailed threat description:
A coordinated cybersecurity alert from U.S. and international agencies warns that malicious actors have been globally targeting Cisco Software-Defined WAN (SD-WAN) systems since at least 2023.
The group has been compromising networks with a zero-day critical authentication bypass flaw in Cisco Catalyst SD-WAN Controller and Manager, CVE-2026-20127. Once access is achieved, the process exploits a privilege escalation flaw from 2022, CVE-2022-20775, to gain root access.
Notably, the attackers introduced a backdoor and even downgraded the controller software to a vulnerable version, allowing use of CVE-2022-20775. After obtaining privilege escalation, they reverted the systems to the original software version to evade detection of the unauthorized change. This clever tactic allowed the intruders to maintain long-term persistence on the SD-WAN controllers. Effectively owning the SD-WAN fabric, bad actors can intercept VPN traffic, redirect data flows, or deploy attacks across all connected hospital sites.
Cisco disclosed the vulnerabilities, confirmed ‘limited exploitation’, and released version updates on February 25, 2026. Simultaneously, CISA and global partners released an alert with an emergency directive for government agencies to inventory Cisco SD-WAN systems, update them, and assess for compromise.
Due to perceived imminent threats to federal networks, CISA directs Federal Executive Branch agencies (FCEB) to identify Cisco SD-WAN appliances, ensure that these systems store logs externally, and collect various system artifacts from these systems by 11:59 pm on February 26, 2026. Following those directives, FCEB is to apply updates by 5:00 pm on February 27, 2026, then hunt for compromise and harden systems. No workaround is available.
Hospital cybersecurity teams should treat this Cisco SD-WAN exploitation campaign as an immediate high-priority threat. The combination of a critical remote exploit and a privilege escalation actively in use by attackers is particularly dangerous, but swift action can mitigate the risk.
Apply patches as soon as they are released, lock down your SD-WAN infrastructure, and review your systems for any signs of compromise. By doing so, hospitals can protect their networks from this ongoing threat and ensure the continuity and safety of their healthcare services.
Impacts on healthcare organizations:
Cisco SD-WAN is widely used to connect hospital networks, clinics, data centers, and cloud services via centrally managed, software-defined networking. If a hospital’s SD-WAN control infrastructure is compromised, an attacker could insert malicious SD-WAN nodes into the network. By accessing these nodes, the adversary can intercept or reroute sensitive data and even disrupt connectivity between hospital sites and cloud services.
The involvement of multiple national cybersecurity agencies and the issuance of an Emergency Directive in response to these Cisco SD-WAN exploits underscores the gravity of the threat. Hospital security teams should therefore respond with the same urgency as federal agencies.
Affected Products / Versions
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud – Cisco Managed
- Cisco Hosted SD-WAN Cloud – FedRAMP Environment
CVEs
- CVE-2022-20775- CWE-25- CVSS 7.8- Tenable plugin #165534
- CVE-2026-20127- CWE-287- CVSS 10- Tenable plugin in development
Recommendations
- Inventory all in-scope Cisco SD-WAN systems
- Restrict SD-WAN controller access until patches are in place
- Apply fixed software versions as soon as possible
- Ensure management user ports are NOT exposed to the internet
- Collect artifacts, including virtual snapshots and logs from SD-WAN systems, to support threat hunt activities
- Implement Cisco’s hardening recommendations
- Review artifacts and investigate any signs of past or ongoing compromise
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- CISA Emergency Directive: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- CISA guidance for Exploitation of Cisco SD-WAN Systems: https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-and-partners-release-guidance-ongoing-global-exploitation-cisco-sd-wan-systems
- Cisco CVE-2022-20775: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-priv-E6e8tEdF
- Cisco CVE-2026-20127: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
- Cisco Catalyst SD-WAN Hardening: https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide