LegislationUS

Emergency Directive ED 26-03

CISA's 14 May 2026 emergency directive requiring federal patch of Cisco SD-WAN CVE-2026-20182 in three days.

Last refreshed: 20 May 2026

Key Question

How many more Cisco SD-WAN vulnerabilities will UAT-8616 exploit before the architecture is retired?

Timeline for Emergency Directive ED 26-03

#414 May

Mentioned in: UAT-8616 keeps Cisco SD-WAN under fire

Cybersecurity: Threats and Defences

View full timeline →

Common Questions

What is CISA Emergency Directive ED 26-03?: ED 26-03 is the CISA directive issued 14 May 2026 requiring US federal agencies to mitigate Cisco SD-WAN CVE-2026-20182 within three days. The CVSS 10.0 vulnerability was being actively exploited by UAT-8616, a group with infrastructure links to China-nexus Flax Typhoon.Source: CISA
Who was exploiting the Cisco SD-WAN vulnerability that triggered ED 26-03?: UAT-8616, a threat actor whose operational relay box infrastructure overlaps with Flax Typhoon and Integrity Technology Group networks named in the sixteen-agency joint advisory of 23 April 2026.Source: CISA / Cisco Talos
How long do federal agencies have to fix a vulnerability under a CISA Emergency Directive?: Emergency Directives compress the standard fourteen-day KEV window. ED 26-03 set a three-day deadline, the shortest window recorded for a 2026 CISA action, reflecting active exploitation of a CVSS 10.0 vulnerability.Source: CISA

Background

Emergency Directive ED 26-03 is the CISA emergency directive issued on 14 May 2026 in response to active exploitation of Cisco SD-WAN CVE-2026-20182 (CVSS 10.0) by threat actor UAT-8616. Emergency Directives are issued under the authority of CISA's parent legislation and sit above Binding Operational Directive 22-01 in urgency, compressing the standard KEV remediation window from fourteen days to three days, with a federal deadline of 17 May 2026. The directive required all US federal civilian executive branch agencies to either apply available mitigations or isolate affected Cisco Catalyst SD-WAN Manager and Controller deployments.

ED 26-03 is the sixth Cisco SD-WAN CVE requiring urgent federal action in 2026. The vulnerability in question, an authentication bypass in the vdaemon service over DTLS port 12346, received the maximum CVSS 10.0 score. UAT-8616's post-compromise activity on confirmed victims included SSH key injection, NETCONF configuration manipulation, account creation, and log clearing, tradecraft consistent with establishing durable network-edge persistence. The directive's three-day window reflects CISA's assessment that UAT-8616 was actively exploiting federal civilian networks at the time of issuance.

The directive was issued the same week that UNC6780 was named as the operator behind the theft of Cisco AI Defense source code, placing two distinct adversary campaigns against the same vendor's portfolio inside a single reporting window. The juxtaposition raised the question, which Cisco has not publicly answered, of whether UNC6780's source-code visibility accelerates the next SD-WAN exploit cycle beyond the six CVEs already catalogued in 2026.

Source Material

Cisco SD-WAN zero-day CVE-2026-20182 exploited by UAT-8616 CISA Emergency Directives

How the World Sees Them

Cisco

The sixth SD-WAN KEV in 2026 adds sustained reputational pressure; Cisco has not publicly confirmed whether UNC6780's source-code access to AI Defense accelerates future SD-WAN exploit cycles.

Five Eyes Partners

UK NCSC and allied CERTs mirrored ED 26-03 guidance; the Flax Typhoon ORB overlap connects the SD-WAN campaign to the sixteen-agency joint advisory of 23 April 2026.

US Federal Agencies

Three-day remediation window required agencies to either patch or isolate SD-WAN Manager and Controller deployments; many agencies had DTLS port 12346 exposed in configurations that pre-date Cisco's hardening guides.

Enterprise Network Teams

Non-federal organisations running Cisco Catalyst SD-WAN face the same CVE without the federal compliance clock; the CVSS 10.0 rating makes KEV treatment the practitioner standard.