A fully compromised SD-WAN controller gives an attacker administrative control over every site and connection in your WAN — including the ability to reroute traffic, intercept communications between offices, and cut off branches from headquarters. Operational disruption can affect every business function that depends on WAN connectivity, including payment processing, VoIP, cloud access, and remote work. Regulatory exposure is significant for organizations subject to frameworks requiring network integrity and confidentiality controls, as a control plane compromise may require breach notification depending on what traffic traverses the affected infrastructure.
You Are Affected If
You run Cisco Catalyst SD-WAN Controller (vManage or associated controller components) in your environment
The SD-WAN controller management interface is reachable from the internet or untrusted network segments
You have not yet applied the patch or workaround from Cisco Security Advisory cisco-sa-sdwan-rpa-EHchtZk
Administrative access to SD-WAN controllers is not restricted to a dedicated out-of-band management network
You have not rotated administrative credentials or audited controller configuration since this vulnerability was disclosed
Board Talking Points
Attackers can take full remote control of our wide-area network infrastructure without needing a password — Cisco has confirmed active exploitation is occurring now.
Our security team is following the CISA Emergency Directive: we are restricting access to affected systems and applying the vendor patch within the required timeframe.
Organizations that do not act immediately risk attackers rerouting or intercepting all network traffic between offices and data centers, with potential for extended outage or data loss.
NERC CIP — SD-WAN controllers managing connectivity for bulk electric system environments fall under CIP-005 and CIP-007 electronic security perimeter and systems security management requirements
PCI-DSS — if SD-WAN infrastructure carries cardholder data between in-scope network segments, a control plane compromise may constitute a reportable security incident under Requirement 12.10
HIPAA — if SD-WAN infrastructure routes ePHI between covered entity or business associate sites, control plane compromise may trigger breach notification assessment under 45 CFR 164.400
