A critical security flaw hiding inside one of Cisco’s most widely deployed enterprise networking products has been actively exploited by hackers for at least three years — and the damage may run far deeper than anyone currently knows. The vulnerability, carrying a maximum severity score of 10.0, affects Cisco’s Catalyst SD-WAN products, the backbone infrastructure that large corporations and government agencies rely on to connect offices and private networks across long distances.
The implications are severe. By exploiting the flaw remotely over the internet, attackers can gain the highest level of system permissions on affected devices, allowing them to burrow deep into a target’s network and maintain a persistent, hidden presence — sometimes for years — without triggering any alarms. That kind of invisible access opens the door to prolonged espionage, quiet data theft and infrastructure manipulation on a massive scale.
How Long Has This Been Going On
After identifying the vulnerability, Cisco’s own researchers traced active exploitation as far back as 2023 — meaning attackers may have had undetected access to affected networks for over three years before the flaw was publicly disclosed. Among the confirmed victims are organizations classified as critical infrastructure, a broad designation that can cover everything from power grids and water systems to transportation networks and financial institutions.
The company has not named specific targets, but the profile of affected organizations makes the breach window particularly alarming. Three years of silent access inside critical infrastructure is not just a cybersecurity problem — it is a national security concern.
Governments Around the World Are Responding
The response from global authorities has been swift and unusually coordinated. Australia, Canada, New Zealand, the United Kingdom and the United States jointly issued a warning that threat actors are actively targeting organizations on a global scale. The alert represents a rare unified front from the Five Eyes intelligence alliance, signaling that the threat is considered both widespread and serious.
In the United States, the Cybersecurity and Infrastructure Security Agency issued an emergency directive ordering all civilian federal agencies to patch their systems by end of day Friday — tomorrow. CISA described the situation as an imminent threat posing unacceptable risk to the federal government and confirmed it is aware of ongoing exploitation happening right now.
What makes the directive even more striking is the context surrounding it. CISA is currently operating at reduced capacity due to a partial government shutdown, and it is still treating this vulnerability as urgent enough to issue an emergency order with a next-day deadline.
Who Is Behind the Attacks
Neither Cisco, Google, nor any of the governments involved has publicly attributed the attacks to a specific threat group or nation state. However, investigators have tracked one cluster of related activity under the designation UAT-8616. The lack of attribution does not diminish the severity — if anything, it signals that whoever is responsible has been skilled enough to avoid leaving a clear fingerprint across three or more years of active intrusion.
This Is Not Cisco’s First 10.0 Vulnerability This Year
The timing adds an uncomfortable layer to an already serious situation. Just last December, Cisco disclosed a separate maximum-severity vulnerability — also rated 10.0 — in the Async software that powers the majority of its product lineup. That flaw was also being actively used to compromise customer networks at the time of disclosure.
Two perfect-10 vulnerabilities within months of each other in widely deployed enterprise infrastructure raises uncomfortable questions about the security architecture of products that sit at the core of some of the world’s most sensitive networks. For IT and security teams managing Cisco environments, the message from governments and the company itself could not be clearer — patch now, not later.
Source: Tech Crunch
