Hackers have been actively exploiting a critical vulnerability in Cisco’s Catalyst SD-WAN software since at least 2023, triggering an urgent global security alert. The flaw, which carries a maximum-rated severity score of 10.0, grants unauthorized remote access to enterprise networks used by major corporations and government agencies.
Deep Network Access and Persistent Threats
The vulnerability targets Catalyst SD-WAN products, which are essential for connecting private networks across geographically dispersed offices. By leveraging this exploit over the internet, attackers can secure the highest level of administrative privileges. This level of access allows threat actors to maintain persistent, hidden entry points, facilitating long-term data theft and espionage.
Cisco researchers confirmed the severity of the breach after identifying evidence of exploitation dating back to 2023. While the company has not disclosed specific targets, it confirmed that the affected organizations include critical infrastructure entities, ranging from power and water utilities to transportation sectors.
Global Government Response
The threat has prompted a coordinated response from an international coalition of government agencies. Officials from the United States, United Kingdom, Australia, Canada, and New Zealand issued a joint security alert, warning that threat actors are conducting these operations on a global scale.
In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding directive requiring all civilian federal agencies to patch their systems immediately. CISA cited an imminent threat and deemed the risk to government infrastructure unacceptable, despite limited agency capacity due to the current partial government shutdown.
Attribution and Incident Context
Security researchers and government agencies are currently tracking the malicious activity under the designation UAT-8616. To date, no specific nation-state or threat group has been officially identified as the perpetrator behind these attacks.
This incident follows a similar high-severity warning issued by Cisco in December, which involved a 10.0-rated vulnerability in the Async software powering a wide range of its networking products. Organizations using Cisco infrastructure are urged to verify their patch status immediately to mitigate the risk of ongoing exploitation.