Cisco has revealed that hackers have been exploiting a vulnerability in one of its popular networking products for at least three years. This has prompted urgent warnings from the United States government and its allies, who are urging organizations to take immediate action.
The bug, which carries the maximum vulnerability severity score of 10.0, affects Cisco’s Catalyst SD-WAN products. These systems are used by large enterprises and government agencies to connect private networks across multiple offices over long distances. By exploiting this flaw over the internet, attackers can gain the highest level of permissions on these devices. This allows them to maintain persistent, hidden access within a victim’s network to spy or steal data over extended periods.
After discovering the bug, Cisco researchers traced evidence of its exploitation back to 2023. Some of the affected organizations are described as critical infrastructure. While Cisco did not provide specific details, critical infrastructure broadly includes essential sectors like power grids, water supply, and transportation.
Governments from Australia, Canada, New Zealand, the United Kingdom, and the United States jointly warned that threat actors are targeting organizations globally. The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, ordered all civilian federal agencies to patch their systems by the end of the day on Friday, citing an imminent threat and unacceptable risk. CISA, which noted it is currently operating at reduced capacity due to a partial government shutdown, confirmed it is aware of ongoing exploitation activity.
Neither Cisco nor the governments attributed the attacks to a specific threat group or nation state, though one cluster of activity is tracked as UAT-8616. This warning follows a similar alert from Cisco in December regarding another maximum-severity vulnerability that was being actively used to hack into customer networks.