Hackers are exploiting exposed Cisco products, Five Eyes intelligence agencies say
Jenar/Getty Images
A Cisco threat intelligence report calls the cyberintruders “highly sophisticated” but stops short of naming any affiliation with a foreign nation.
The Cybersecurity and Infrastructure Security Agency and its overseas intelligence partners said a “significant cyber threat” is exploiting vulnerabilities in Cisco wide-area networking equipment and urged organizations to search for signs that they’ve been compromised. Federal networks are also exposed.
CISA, the NSA and Five Eyes partners — which include cyber agencies in the UK, New Zealand, Canada and Australia — issued the alert Wednesday and said two cyber vulnerabilities — denoted CVE-2026-20127 and CVE-2022-20775 — were discovered on exposed devices.
A concurrent report produced by Cisco’s cyber threat intelligence unit dubbed the hacking group as UAT-8616, assessing it as a “highly sophisticated cyber threat actor.” Cisco and the cyberintelligence agencies did not name a particular nation-state affiliation with the hackers.
After confirming that hackers were actively exploiting the previously unknown vulnerability, Cisco researchers said they reviewed historical data and found evidence the malicious activity dated back to at least 2023.
In written remarks, CISA said the conditions pose “an unacceptable risk to federal agencies and necessitate emergency action.” The UK National Cyber Security Centre echoed that dynamic and said “malicious cyber threat actors are targeting Cisco Catalyst Software Defined Wide Area Networks (SD-WAN) used by organisations globally.”
A critical advisory issued by Cisco said one of the vulnerabilities can let hackers “gain root privileges on the underlying operating system,” giving them access to the affected device. A technical hunt guide was also released with the involved governments.
The advisory adds to a growing list of security alerts tied to Cisco systems, which are commonly deployed in enterprise and government networks. Such devices often manage internet traffic and user authentication, which, if exploited, can provide attackers with elevated access that allows them to potentially intercept sensitive data or disrupt network operations.
A Chinese hacking group notably used Cisco devices to help launch brazen intrusions into U.S. telecommunications systems in a campaign that, according to the FBI, has been in motion since at least 2019.
Nick Andersen, CISA’s executive assistant director for cybersecurity, said the agency isn’t attributing the activity to a specific group, and that attribution is considered on a “case-by-case basis.”
What’s certain, he said, is that the involved hackers are trying to compromise federal computer networks. Wide-area network devices have picked up popularity in recent years in both government and private sector IT environments, Andersen said.
He added that the agency is in the “beginning stages of mitigation,” but did not detail the scale or scope of specific federal networks impacted.
The Department of Homeland Security, which houses CISA, is facing an ongoing shutdown amid a recent budget lapse. Asked about this, Andersen said CISA continues “to sustain essential functions” and provide guidance to stakeholders.
CISA and partners urged organizations to immediately identify affected Cisco systems, preserve relevant logs and system data, apply available patches and check their networks for signs of compromise.