US government departments are facing a major deadline in a high-stakes effort to reclaim their networks from intruders who have been hiding in the system for years. This intensive cleanup follows the discovery of a critical backdoor in Cisco networking equipment that has left sensitive federal data vulnerable since 2023.
The Cybersecurity and Infrastructure Security Agency (CISA) first sounded the alarm on 25 February 2026, with an initial emergency directive, after investigators from CISA and Cisco’s Talos intelligence team found that a group of hackers, currently called UAT-8616, had been exploiting a flaw in Cisco Catalyst SD-WAN systems, the digital switchboards that manage internet traffic for the US government.
At the time, CISA determined that these vulnerabilities posed an “unacceptable risk” to Federal Civilian Executive Branch (FCEB) agencies and required immediate action.
A ‘Perfect 10’ Risk
The problem lies with a flaw, CVE-2026-20127, having a maximum CVSS rating of 10. CISA noted that this “critical authentication bypass flaw” is particularly dangerous because it allows an attacker to gain administrative access to a network without ever needing a password.
Further investigation revealed that the hackers used a clever trick to stay hidden. Once they got inside, they would downgrade the system’s software to an older, buggier version. This effectively broke the locks from the inside to make sure they could not be kicked out easily.
“A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric,” Cisco’s advisory noted.
It affects the following products:
- On-Prem Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud – Cisco Managed
- Cisco Hosted SD-WAN Cloud – FedRAMP Environment
The Race to Fix the Damage
While the first round of emergency software updates ended on 27 February, the work is far from finished. CISA has released another directive on 11 March, according to which agencies must now report on the hardening steps they have taken, which essentially means making their networks much tougher to break into. This includes moving sensitive controls behind extra firewalls and replacing digital keys that the intruders might have stolen.
It is worth noting that if investigators find that a root account (the most powerful type of access) was touched, the agency cannot just change a password, and they are required to wipe the entire system and rebuild it from scratch. This is to make sure no “forensic artifacts” or hidden hacker tools are left behind, the directive reads.
Long-Term Cleanup
The cleanup will continue through the spring. By 23 March, all agencies must send their internal traffic logs to CISA’s central monitoring system. This allows experts to watch for any remaining signs of the hackers across the entire federal government.
A final report on whether the networks are finally safe is due to be handed to the Secretary of Homeland Security on 1 May 2026. For now, the hunt for the remaining intruders is the top priority for federal IT teams.
Expert’s Comments:
Bobby Kuzma, Director of Offensive Operations at ProCircular, commented on this, stating: “CISA has clear reason to believe that these vulnerabilities have been, and likely continue to be, exploited by threat actors to compromise government systems and networks. The requests for artifact collection and submission make it clear they’re working to identify the scope of the threat.”
“While contractors and civilian organizations are not required or requested to follow similar collection steps, if you have Cisco SD-WAN appliances in your environment, this is a good time to collect artifacts and review patch statuses and logs,” he advised.
