The Cybersecurity and Infrastructure Security Agency (CISA) has escalated the urgency for network administrators worldwide with its latest Known Exploited Vulnerabilities (KEV) Catalog update. On February 25, 2026, CISA added two critical Cisco Catalyst SD-WAN Manager vulnerabilities—CVE-2022-20775 and CVE-2022-20776—to its catalog, mandating federal agencies to patch these flaws within strict deadlines. This action signals that these vulnerabilities are not just theoretical risks but are actively being exploited in the wild, posing significant threats to enterprise networks, government infrastructure, and critical systems that rely on Cisco's widely deployed software-defined wide area networking solutions.

Understanding the Cisco Catalyst SD-WAN Vulnerabilities

The two vulnerabilities added to CISA's KEV catalog represent serious security flaws in Cisco Catalyst SD-WAN Manager, the central management component for Cisco's SD-WAN deployments. According to Cisco's original advisories and technical documentation, these vulnerabilities affect the web-based management interface of the SD-WAN Manager software.

CVE-2022-20775 is a path traversal vulnerability that could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device. This flaw exists in the web-based management interface and could be exploited by sending crafted HTTP requests to the vulnerable system. An attacker with valid administrator credentials could leverage this vulnerability to access sensitive configuration files, credential stores, or other critical system information that should be protected.

CVE-2022-20776 is a privilege escalation vulnerability that could allow an authenticated, remote attacker to elevate privileges to root on the underlying operating system. This vulnerability also resides in the web-based management interface and could be exploited by sending specially crafted HTTP requests. An attacker with valid user credentials could use this flaw to gain complete control over the affected system, potentially compromising the entire SD-WAN deployment.

Both vulnerabilities affect Cisco Catalyst SD-WAN Manager releases prior to version 20.9.3, with Cisco rating them with a CVSS (Common Vulnerability Scoring System) score of 7.2 and 8.8 respectively, placing them in the high to critical severity range. The combination of these vulnerabilities is particularly dangerous—an attacker could potentially chain them together to first gain access to sensitive information through the path traversal flaw, then use that information to escalate privileges and take complete control of the system.

CISA's Binding Operational Directive and Federal Requirements

CISA's addition of these vulnerabilities to the KEV catalog isn't merely advisory—it carries regulatory weight for federal agencies. Under Binding Operational Directive (BOD) 22-01, federal civilian executive branch agencies are required to remediate vulnerabilities listed in the KEV catalog within specific timeframes. For these Cisco Catalyst SD-WAN vulnerabilities, agencies must apply available patches or workarounds by March 18, 2026.

This directive represents a significant escalation in the U.S. government's approach to cybersecurity. The KEV catalog serves as a prioritized list of vulnerabilities that are known to be actively exploited by threat actors, making them higher priority than other security flaws. By requiring federal agencies to patch these specific vulnerabilities, CISA is implementing a risk-based approach to cybersecurity that focuses resources on the most immediate threats.

For private sector organizations, while compliance isn't legally mandated in the same way, CISA strongly recommends that all organizations prioritize remediation of KEV-listed vulnerabilities. Many cybersecurity frameworks and insurance providers now consider attention to the KEV catalog as a best practice, and failure to address these known exploited vulnerabilities could have liability implications in the event of a breach.

The Expanding Threat Landscape for Network Infrastructure

The inclusion of these Cisco vulnerabilities in the KEV catalog reflects broader trends in the cybersecurity landscape. Network infrastructure components, particularly those managing critical connectivity like SD-WAN solutions, have become increasingly attractive targets for threat actors. These systems often sit at the heart of organizational networks, controlling traffic flow between headquarters, branch offices, data centers, and cloud services.

Recent search results and security industry reports indicate that attacks against network management systems have been rising steadily. Threat actors recognize that compromising these systems can provide persistent access, enable lateral movement across networks, and facilitate data exfiltration or ransomware deployment. The fact that these particular Cisco vulnerabilities are now confirmed as actively exploited suggests they may be part of broader campaigns targeting enterprise networks.

Security researchers have noted that vulnerabilities in SD-WAN solutions are particularly concerning because these systems often have privileged access to multiple network segments. A compromise of an SD-WAN manager could potentially allow attackers to reroute traffic, intercept sensitive data, or deploy malware across distributed organizational locations. This makes timely patching of these systems not just important but critical for maintaining overall network security posture.

Patching Challenges and Best Practices for SD-WAN Environments

Patching SD-WAN management systems presents unique challenges compared to traditional network equipment. These systems often manage production traffic across multiple locations, and updates can potentially disrupt critical business operations if not carefully planned. However, the confirmed active exploitation of these vulnerabilities means that organizations must balance operational continuity with security urgency.

Based on Cisco's documentation and industry best practices, organizations should follow these steps when addressing these vulnerabilities:

  1. Immediate Assessment: Identify all instances of Cisco Catalyst SD-WAN Manager in your environment and determine their current versions. Any systems running versions prior to 20.9.3 are vulnerable and require attention.

  2. Prioritization Strategy: While all vulnerable systems should be addressed, prioritize those that are internet-facing or manage particularly sensitive network segments. These systems represent the highest risk if compromised.

  3. Update Planning: Cisco has released fixes in version 20.9.3 and later releases. Organizations should review release notes and compatibility information before upgrading. For systems that cannot be immediately updated, Cisco provides workarounds including restricting access to the web-based management interface to trusted hosts only.

  4. Testing Protocol: Before deploying updates to production systems, test them in a lab environment to identify any potential compatibility issues with existing configurations or dependent systems.

  5. Maintenance Windows: Schedule updates during approved maintenance windows with appropriate communication to stakeholders. Have rollback plans in place in case issues arise during the update process.

  6. Verification and Monitoring: After applying patches, verify that systems are functioning correctly and monitor for any anomalous activity that might indicate prior compromise or exploitation attempts.

For organizations with large, distributed deployments, consider implementing a phased update approach that addresses the highest risk systems first while maintaining overall network functionality.

Broader Implications for Network Security Posture

The active exploitation of these Cisco Catalyst SD-WAN vulnerabilities serves as a reminder of several important principles in modern network security:

Vulnerability Management Maturity: Organizations need mature vulnerability management programs that can quickly identify, assess, and remediate critical vulnerabilities. The time between vulnerability disclosure and active exploitation continues to shrink, making rapid response capabilities essential.

Supply Chain Security: Many organizations rely on third-party managed service providers for their SD-WAN implementations. It's crucial to ensure that these providers are aware of and addressing these vulnerabilities in their managed environments. Contractual agreements should include requirements for timely patching of critical vulnerabilities.

Defense in Depth: While patching is essential, it shouldn't be the only security measure. Organizations should implement additional security controls around critical management systems, including network segmentation, strict access controls, multi-factor authentication, and comprehensive logging and monitoring.

Threat Intelligence Integration: The KEV catalog represents one source of threat intelligence that organizations should incorporate into their security programs. By prioritizing vulnerabilities known to be actively exploited, security teams can focus their limited resources on the most immediate threats.

Looking Forward: The Evolving Role of CISA and Vulnerability Management

CISA's expanding use of the KEV catalog and binding directives represents a shift toward more proactive federal cybersecurity oversight. As network infrastructure continues to be targeted by sophisticated threat actors—including nation-state groups—such coordinated vulnerability management approaches will likely become more common.

For network administrators and security professionals, this incident underscores the importance of:

  • Regularly monitoring authoritative sources like the CISA KEV catalog, vendor security advisories, and industry threat intelligence feeds
  • Maintaining accurate asset inventories that include software versions and patch status
  • Developing and testing incident response plans specifically for network infrastructure compromises
  • Building relationships with vendors to ensure timely access to security updates and support during critical patching cycles

As software-defined networking continues to evolve and become more central to organizational operations, the security of these systems will remain a high priority for both defenders and attackers. The active exploitation of the Cisco Catalyst SD-WAN vulnerabilities serves as a timely reminder that even foundational network infrastructure components require vigilant security attention and prompt maintenance.

Organizations that proactively address these vulnerabilities will not only comply with CISA's directives (where applicable) but, more importantly, will strengthen their overall security posture against increasingly sophisticated network-based attacks. In today's threat landscape, where network infrastructure is both a critical asset and a prime target, such vigilance isn't just recommended—it's essential for operational resilience and security.