Cisco says hackers have been exploiting a critical bug to break into big customer networks since 2023
Source: TechCrunch
Published: 8:03 AM PST · February 26, 2026
Cisco says hackers have been exploiting a bug in one of its popular networking products used by large enterprises for at least three years, prompting the U.S. government and its allies to urge organizations to take action.
The bug, which has a maximum‑rated vulnerability severity score of 10.0 (Cisco Security Advisory), allows hackers to remotely break into networks running Cisco’s Catalyst SD‑WAN products. These products enable large companies and government agencies with multiple offices to connect their private networks over long distances.
By exploiting this bug over the internet, attackers can obtain the highest level of permissions on the devices and maintain persistent, hidden access inside a victim’s network, enabling long‑term espionage or data theft.
Cisco’s researchers traced evidence of exploitation back to 2023 (Talos blog post). Some of the affected organizations are described as “critical infrastructure,” which can include power grids, water supply, and transportation sectors.
Government Response
Several governments—including Australia, Canada, New Zealand, the United Kingdom, and the United States—issued an alert warning that threat actors are targeting organizations globally (alert PDF).
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered all civilian federal agencies to patch their systems by the end of the day on Friday, citing an imminent threat and unacceptable risk to the federal government (CISA directive). CISA noted it is operating at reduced capacity due to a partial government shutdown (TechCrunch article) but is aware of ongoing exploitation.
Neither Cisco nor the governments identified a specific threat group or nation‑state behind the attacks, though one cluster of activity was tracked as UAT‑8616.
Related Vulnerabilities
In December, Cisco warned of another 10.0‑rated vulnerability in the Async software that runs most of its products, which was actively being used to hack customer networks (TechCrunch report).