Three separate Cisco attack clusters are simultaneously targeting U.S. federal agencies and global enterprises as of March 13, 2026. A CVSS 10.0 SD-WAN zero-day that has been exploited since 2023 has yielded persistent footholds inside government networks. A new CVSS 9.8 Netadmin bypass is being weaponized in the wild. And two CVSS 10.0 flaws in Cisco's Firewall Management Center — with no workarounds available — are currently the top target for automated vulnerability scanners worldwide.

1. CISA EMERGENCY DIRECTIVE 26-03: WHAT IT ORDERS

On February 25, 2026, the U.S. Cybersecurity and Infrastructure Security Agency issued Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems. The directive invokes Section 3553(h) of Title 44, U.S. Code, which grants CISA authority to mandate emergency action when a threat poses an unacceptable risk to federal civilian infrastructure.

ED 26-03 applies to all Federal Civilian Executive Branch agencies, including IT environments operated directly by agencies and those hosted by third-party providers on their behalf. It covers both Cisco Catalyst SD-WAN Manager (formerly vManage) and Cisco Catalyst SD-WAN Controller (formerly vSmart), regardless of configuration.

CISA simultaneously released a Supplemental Direction with prescriptive forensic steps for identifying whether systems have already been compromised. The agency's Cloud Logging Aggregation Warehouse (CLAW) program was mobilized to centralize syslog data from all affected SD-WAN devices across the federal government.

The Five Required Actions

Action 1 — Inventory: Identify all in-scope Cisco Catalyst SD-WAN systems and submit inventory to CISA. Deadline: February 26, 2026, 11:59 PM ET.

Action 2 — Collect Artifacts: Gather administrative core dumps including /opt and /var directories, a copy of /home, externally stored syslogs, and forensic snapshots of virtual disk and memory for on-premises deployments.

Action 3 — Patch: Apply all Cisco-provided updates for CVE-2026-20127 and CVE-2022-20775. Deadline: February 27, 2026, 5:00 PM ET. Forward all syslog data to CISA's CLAW program by March 23, 2026.

Action 4 — Hunt: Conduct threat hunting per the CISA Supplemental Direction. If root-level compromise is found, immediately deploy rebuilt vManage, vSmart, and vBond instances from patched OVA or qcow2 images.

Action 5 — Harden: Implement all measures in Cisco's SD-WAN Hardening Guide. Submit hardening report to CISA by March 12, 2026, 11:59 PM ET.

International partners including the NSA, Australia's ASD/ACSC, Canada's Cyber Centre, New Zealand's NCSC-NZ, and the UK's NCSC co-authored the accompanying threat hunting guidance, reflecting the global reach of the threat campaign.

2. CVE-2026-20127 — THE CVSS 10.0 SD-WAN ZERO-DAY (ACTIVELY EXPLOITED SINCE 2023)

CVE-2026-20127

CVSS v3.1 Score: 10.0 — Critical

Authentication bypass allowing unauthenticated remote admin access to SD-WAN Controller and Manager via a broken peering mechanism.

CVE-2022-20775

CVSS v3.1 Score: 7.8 — Chained Exploit

Path traversal enabling root command execution. Used as a privilege escalation step after gaining initial access via CVE-2026-20127.

Vulnerability Details

CVE-2026-20127 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) is classified under CWE-287 (Improper Authentication) and affects the peering authentication mechanism in both the Cisco Catalyst SD-WAN Controller and SD-WAN Manager. The root cause is a failure in how the system validates peering requests: the authentication check can be bypassed by sending a specially crafted packet, allowing an unauthenticated remote attacker to obtain an internal high-privileged, non-root user account.

With this account, an attacker gains access to NETCONF — the network configuration protocol running on TCP port 830 — and can manipulate the SD-WAN fabric configuration across the entire organization. This gives an attacker the ability to reconfigure routing, traffic policies, and security controls across all connected network edges, not just a single device.

Exploitation of this vulnerability has been confirmed to have begun as early as 2023, making it a years-long zero-day that went undetected through multiple Cisco security review cycles. The Australian Signals Directorate's Australian Cyber Security Centre was credited with discovering and reporting the flaw.

Exploitation in the Wild

Cisco Talos tracks the threat cluster exploiting CVE-2026-20127 as UAT-8616, assessed with high confidence as a sophisticated threat actor. The exploitation campaign predates public disclosure by at least two years. By March 4, 2026, watchTowr's exposure management platform observed attack attempts from numerous unique IP addresses globally, with the largest single-day spike on March 4. U.S.-based targets experienced slightly higher attack volume than other regions.

Affected Products

Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) — Affected versions: Prior to 20.91 — Fixed release: Migrate to fixed release.

Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) — Affected versions: Prior to 20.91 — Fixed release: Migrate to fixed release.

Cisco has specifically warned that SD-WAN Controller systems exposed to the internet with NETCONF (TCP/830) accessible are at the highest risk. The combination of the authentication bypass (CVE-2026-20127) chained with the privilege escalation path (CVE-2022-20775) creates a remote-to-root attack pathway with no workarounds. Upgrading to a patched release is the only complete remediation.

3. CVE-2026-20129 — NEW ACTIVE EXPLOITATION: NETADMIN API BYPASS (CVSS 9.8)

CVE-2026-20129

CVSS v3.1 Score: 9.8 — Critical

API authentication bypass granting an unauthenticated remote attacker full netadmin role privileges on Cisco Catalyst SD-WAN Manager.

CVE-2026-20128

CVSS v3.1 Score: 7.5 — Actively Exploited

DCA credential file exposure allowing an authenticated local attacker to gain DCA user privileges. Confirmed as actively exploited in March 2026.

What Netadmin Access Means

CVE-2026-20129 is a separate authentication bypass from CVE-2026-20127, rooted in a different code path. Where CVE-2026-20127 exploits the peering authentication mechanism, CVE-2026-20129 (CWE-287) targets the API user authentication layer of Cisco Catalyst SD-WAN Manager. The flaw stems from improper validation of requests sent to the API: an attacker can send a specially crafted HTTP request and receive access with netadmin role privileges.

The netadmin role is the highest-tier functional administrator in the SD-WAN ecosystem. With these privileges, an attacker can configure network policies, manage devices, modify security controls, access sensitive configuration data, control traffic routing across the entire SD-WAN fabric, and stage further attacks against connected infrastructure. This is full operational control over the network management plane.

Active Exploitation — March 2026

In March 2026, the Cisco Product Security Incident Response Team confirmed active exploitation of CVE-2026-20128 and CVE-2026-20122. Attackers have been observed attempting to leverage CVE-2026-20129 as part of a multi-vector campaign. No public proof-of-concept exploit is currently available, but the CVSS 9.8 score — network-accessible, no authentication required, no user interaction required — makes independent exploit development highly likely in the near term.

Technical Root Cause

The vulnerability stems from improper authentication logic for API requests. The SD-WAN Manager fails to correctly validate incoming requests, allowing a crafted request to circumvent authentication entirely. Unlike CVE-2026-20127, which targets the control-plane peering system, CVE-2026-20129 is an API-layer flaw targeting a different attack surface and requiring independent remediation. Cisco has confirmed that SD-WAN Manager releases 20.18 and later are not affected. No workarounds exist for earlier releases.

4. CVE-2026-20079 AND CVE-2026-20131 — DUAL CVSS 10.0 FLAWS IN CISCO SECURE FMC

CVE-2026-20079

CVSS v3.1 Score: 10.0 — Maximum Severity

Authentication bypass (CWE-288) via an improperly initialized boot-time process. Unauthenticated remote code execution with root privileges via crafted HTTP requests. Scope: Changed.

CVE-2026-20131

CVSS v3.1 Score: 10.0 — Maximum Severity

Insecure Java deserialization (CWE-502) in FMC and SCC Firewall Management. Unauthenticated remote code execution with root privileges via a crafted serialized Java object. Scope: Changed.

Background

On March 4, 2026, Cisco released a bundled security advisory covering 48 vulnerabilities across its Secure Firewall product line, including the Adaptive Security Appliance, Secure Firewall Management Center, and Secure Firewall Threat Defense. CVE-2026-20079 and CVE-2026-20131 are the most severe: both score 10.0 on the CVSS scale and both target the Cisco Secure Firewall Management Center, which is the centralized management console controlling every firewall in an organization's security fabric.

The FMC controls intrusion prevention settings, security policy enforcement, logging behavior, and firewall rules across every managed Firewall Threat Defense device in the organization. Compromising the FMC affects the entire network security posture simultaneously.

CVE-2026-20079: Authentication Bypass via Boot-Time Process Flaw (CWE-288)

The root cause is an improperly initialized system process created during the FMC's boot sequence. This flaw creates a window in which arbitrary scripts can execute before the web interface has established its authentication requirements. An attacker who sends a specially crafted HTTP request to the FMC management interface can trigger this boot-time process and execute commands with root privileges without supplying any credentials.

The CVSS vector includes Scope: Changed, meaning exploitation of the FMC can compromise other components under its management, including all downstream Firewall Threat Defense devices. This is why the score reaches 10.0.

CVE-2026-20079 affects on-premises Cisco Secure Firewall Management Center software only. Cloud-Delivered FMC (cdFMC) is not affected.

CVE-2026-20131: Insecure Java Deserialization Leading to Remote Code Execution (CWE-502)

CVE-2026-20131 exploits insecure deserialization of user-supplied Java byte streams. The FMC management interface receives a serialized Java object and attempts to deserialize it without adequate validation. By crafting a malicious serialized object containing a weaponized gadget chain, an unauthenticated attacker can trigger arbitrary Java code execution on the server, immediately escalating to root privileges.

This vulnerability also affects Cisco Security Cloud Control (SCC) Firewall Management. Since SCC is a managed SaaS offering, Cisco has already applied the patch. No customer action is required for the SCC-hosted component. Organizations running on-premises FMC must patch immediately.

Current Scanner Activity

As of March 13, 2026, both CVE-2026-20079 and CVE-2026-20131 are the top targets for automated vulnerability scanning tools globally. While the Cisco PSIRT had not confirmed active exploitation in the wild as of the March 4 advisory, the combination of maximum CVSS scores, well-understood vulnerability classes, no available workarounds, and the strategic value of the FMC means active exploitation is assessed as highly likely in the near term.

Affected Products and Fixed Versions

CVE-2026-20079: On-premises FMC Software. Attack vector: Network (HTTP). Authentication required: None. Impact: Root RCE, Scope Changed. Fixed versions: 7.4.6, 7.6.5, 10.0.1 and later.

CVE-2026-20131: FMC and SCC Firewall Management. Attack vector: Network (HTTP). Authentication required: None. Impact: Root RCE, Scope Changed. Fixed versions: 7.4.6, 7.6.5, 10.0.1 and later.

5. THREAT ACTOR PROFILE: UAT-8616

Cisco Talos tracks the primary exploitation cluster as UAT-8616, an unattributed threat actor assessed with high confidence as highly sophisticated. What distinguishes UAT-8616 from opportunistic attackers is a deliberate strategy of avoiding traditional malware, relying instead on living-off-the-land techniques that blend attacker activity into legitimate network management traffic.

Rogue Peer Insertion: After gaining initial access via CVE-2026-20127, UAT-8616 injects a rogue, attacker-controlled device into the SD-WAN management and control planes, where it appears as a legitimate SD-WAN network component. This rogue peer can execute trusted actions within both planes.

Software Downgrade-and-Exploit Cycle: To achieve root access, UAT-8616 deliberately downgrades the compromised device's firmware to a version vulnerable to CVE-2022-20775. After obtaining root, the software is reverted to its original version to defeat version-based post-incident detection.

Lateral Movement: International partners observed UAT-8616 moving laterally using NETCONF (TCP/830) and SSH, creating rogue local accounts, adding root SSH keys, and staging further network infiltration.

Anti-Forensics: The actor consistently destroys forensic evidence by purging /var/log/auth.log, clearing shell command histories, and removing indicators that would otherwise surface in SIEM queries.

MITRE ATT&CK Mapping

Initial Access: External Remote Services [T1133]

Persistence: Create Local Account [T1136.001], SSH Authorized Keys [T1098.004]

Lateral Movement: Remote Services via NETCONF/SSH [T1021]

Defense Evasion: Clear Linux/Mac Logs [T1070.002], Clear Command History [T1070.003]

Privilege Escalation: Exploitation for Privilege Escalation [T1068]

6. THE FULL ATTACK CHAIN

Organizations running both SD-WAN and Secure FMC face a compounded risk. Compromising the SD-WAN management plane gives an attacker structural visibility into network segmentation, enabling more precise follow-on attacks against the FMC.

SD-WAN Attack Chain (CVE-2026-20127 to CVE-2022-20775)

Phase 1 — Initial Access: Send a crafted NETCONF request to the exposed SD-WAN Controller or Manager. CVE-2026-20127 authentication bypass grants a high-privileged non-root account. Access NETCONF on TCP/830 and manipulate SD-WAN fabric configuration.

Phase 2 — Persistence: Insert a rogue peer device into the management and control plane. Create local accounts and add root SSH keys.

Phase 3 — Privilege Escalation: Downgrade device firmware to a vulnerable version. CVE-2022-20775 path traversal enables arbitrary command execution as root. Revert firmware to destroy evidence.

Phase 4 — Lateral Movement and Evasion: Move to other network segments via NETCONF and SSH. Purge auth.log, shell history, and forensic artifacts.

FMC Attack Chain (CVE-2026-20079 and CVE-2026-20131)

Attack Path A — Authentication Bypass: Send a crafted HTTP request to the FMC web management interface. CVE-2026-20079 boot-time process flaw enables root-level script execution. Attacker gains full root OS control and can modify all managed firewall policies.

Attack Path B — Insecure Deserialization: Send a crafted serialized Java object to the FMC management interface. CVE-2026-20131 Java deserialization triggers arbitrary code execution as root. Scope Changed: compromise propagates to all managed FTD devices.

7. INDICATORS OF COMPROMISE

SD-WAN — Log-Based Indicators

Entries in /var/log/auth.log showing "Accepted publickey for vmanage-admin" from unknown or unauthorized IP addresses.

Unexpected software version downgrades in device logs, especially activation of older images outside approved change management windows.

Unauthorized reboots and application reversions.

Anomalous peer connections: unusual peer types, unknown system IPs, suspicious public IP addresses, or abnormal "remote color" values in DTLS sessions.

Successful API authentication events without corresponding valid credential entries in your identity provider logs.

Authentication log activity outside normal business hours.

SD-WAN — System-Level Indicators

Unknown user accounts in /etc/passwd or the vManage user management interface.

Unauthorized SSH public keys in /root/.ssh/authorized_keys or /home/vmanage/.ssh/authorized_keys.

Modifications to /opt or /var directories inconsistent with installed software versions.

Active NETCONF sessions from IP addresses not listed in configured System IPs.

FMC — What to Look For

Unexpected HTTP requests to the FMC management interface from external or untrusted IP addresses that result in successful authentication events without valid credentials.

Anomalous firewall policy changes that cannot be correlated to authorized administrator activity.

New administrative user accounts in FMC without corresponding change management tickets.

Unusual processes running with root privileges on the FMC operating system.

Deserialization errors in FMC application logs, which may indicate failed exploitation attempts.

8. REMEDIATION CHECKLIST

No configuration workarounds exist for CVE-2026-20127, CVE-2026-20129, CVE-2026-20079, or CVE-2026-20131. The only complete remediation for all four vulnerabilities is upgrading to a fixed software release.

Cisco Catalyst SD-WAN (CVE-2026-20127, CVE-2026-20129)

Step 1: Take inventory of all Cisco Catalyst SD-WAN Controller and Manager instances across your environment, including cloud-hosted and third-party-managed deployments.

Step 2: Upgrade all in-scope SD-WAN devices to version 20.91 or later. Consult Cisco's upgrade matrix for your specific upgrade path.

Step 3: Restrict exposure. Ensure SD-WAN control components are behind a firewall. Isolate VPN 512 interfaces. Block access to NETCONF (TCP/830) from untrusted networks and the public internet.

Step 4: Audit /var/log/auth.log for unauthorized "Accepted publickey for vmanage-admin" events. Check all SD-WAN Manager-listed System IPs against IPs appearing in auth logs.

Step 5: Hunt for rogue peer devices. Compare the current list of SD-WAN peers against your authorized network topology. Any unrecognized peer is a potential indicator of compromise.

Step 6: Apply Cisco's hardening guide. Replace self-signed certificates for the vManage UI, configure DTLS data encryption, use SNMPv3, create pairwise keys, and set session timeouts to a maximum of 5 minutes.

Step 7: Forward all SD-WAN syslog data to your SIEM. FCEB agencies must configure CLAW integration and submit reports per ED 26-03 deadlines.

Step 8: If root compromise is confirmed, deploy new vManage, vSmart, and vBond instances from patched OVA or qcow2 images and migrate edge devices to the rebuilt infrastructure.

Cisco Secure Firewall Management Center (CVE-2026-20079, CVE-2026-20131)

Step 1: Identify all on-premises FMC instances. Confirm your current software version using Cisco's Software Checker tool at sec.cloudapps.cisco.com.

Step 2: Upgrade to a fixed release. Versions 7.4.6, 7.6.5, or 10.0.1 and later address both CVE-2026-20079 and CVE-2026-20131. Verify that your chosen upgrade path resolves both vulnerabilities.

Step 3: Restrict FMC management interface access using firewall rules or ACLs. The FMC management interface must never be exposed to untrusted networks or the public internet.

Step 4: If you use Cisco Security Cloud Control (SCC), Cisco has already patched the CVE-2026-20131 exposure. No customer action is required for the SCC-hosted component. Confirm your deployment model.

Step 5: Review all FMC-managed firewall policies for unauthorized changes. Audit administrative user accounts against your identity management systems.

Step 6: Enable and centralize FMC and FTD logging. Correlate authentication events, policy changes, and administrative activity with your SIEM or SOC platform.

Priority Summary

Today: Restrict internet access to the SD-WAN NETCONF port (TCP/830) and all FMC management interfaces.

Within 24 hours: Begin patching SD-WAN systems to 20.91 and FMC to 7.4.6, 7.6.5, or 10.0.1.

Within 48 to 72 hours: Complete the initial threat hunt for SD-WAN indicators. Audit FMC admin accounts and recent policy change logs.

Ongoing: Monitor CISA's Known Exploited Vulnerabilities catalog and Cisco's Security Advisories portal. Maintain centralized syslog forwarding for all SD-WAN and FMC infrastructure.

9. EVENT TIMELINE

2023 (estimated): UAT-8616 begins exploiting CVE-2026-20127 as a zero-day, establishing persistent footholds in high-value targets globally.

February 25, 2026: Cisco discloses CVE-2026-20127 (CVSS 10.0) and CVE-2026-20129 (CVSS 9.8). CISA issues Emergency Directive 26-03. CISA adds CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities catalog. NSA, ASD/ACSC, CCCS, NCSC-NZ, and NCSC-UK co-publish joint threat hunting guidance.

February 26 to 27, 2026: FCEB agencies required to submit system inventories and begin patching. Patching deadline: February 27, 5:00 PM ET.

March 4, 2026: Cisco releases bundled advisory covering 48 firewall vulnerabilities. CVE-2026-20079 and CVE-2026-20131 (both CVSS 10.0) disclosed in Cisco Secure FMC and SCC Firewall Management. Both become top targets for automated scanning tools globally. watchTowr records the largest single-day spike in CVE-2026-20127 exploitation attempts.

Early March 2026: Cisco PSIRT confirms active exploitation of CVE-2026-20128 and CVE-2026-20122. Threat actors observed attempting to leverage CVE-2026-20129 for netadmin access across SD-WAN deployments.

March 12, 2026: FCEB hardening report deadline.

March 13, 2026: CVE-2026-20079 and CVE-2026-20131 remain top targets for automated scanning tools. Exploitation attempts against CVE-2026-20129 continue.

March 23, 2026: Final FCEB deadline. All CLAW logging integration must be complete and compliance reports submitted to CISA.

10. FREQUENTLY ASKED QUESTIONS

Does ED 26-03 apply to private-sector organizations?

ED 26-03 is legally binding only for Federal Civilian Executive Branch agencies. However, CISA urges all organizations operating Cisco Catalyst SD-WAN systems to inventory, patch, and hunt for compromise using the same guidance. CVE-2026-20127 has been exploited in the wild since at least 2023, targeting both government and private-sector organizations globally.

Are there any workarounds if I cannot patch immediately?

No configuration workarounds fully address CVE-2026-20127, CVE-2026-20129, CVE-2026-20079, or CVE-2026-20131. Software upgrade is the only complete remediation. For FMC, restricting management interface access to trusted networks via firewall rules or ACLs reduces exposure but does not eliminate the vulnerability. For SD-WAN, placing control components behind a firewall and blocking internet access to NETCONF (TCP/830) reduces the attack surface but is not a substitute for patching.

How do I know if my SD-WAN system has already been compromised?

Follow the CISA Supplemental Direction ED 26-03 Hunt Guidance. Key indicators include unexpected user accounts, unauthorized SSH keys, unrecognized SD-WAN peers, suspicious entries in /var/log/auth.log, and software version downgrades outside approved change windows. Contact Cisco TAC immediately if any of these indicators are present.

Is Cloud-Delivered FMC affected by CVE-2026-20079?

No. Cisco has confirmed that Cloud-Delivered FMC is not affected by CVE-2026-20079. CVE-2026-20131 does affect Cisco Security Cloud Control (SCC) Firewall Management, but Cisco has already applied the patch to the SCC-hosted component. No customer action is required for SCC deployments.

What is the fixed version for Cisco Secure FMC?

FMC versions 7.4.6, 7.6.5, and 10.0.1 or later address both CVE-2026-20079 and CVE-2026-20131. Verify that your chosen upgrade path resolves both vulnerabilities. Use Cisco's Software Checker tool to confirm the minimum fixed release for your current version.

What should I do if I suspect UAT-8616 activity?

Preserve forensic evidence before taking containment actions. Collect system dumps, /opt and /var directories, auth logs, and shell histories per the CISA Supplemental Direction. Engage Cisco TAC and consider a third-party incident response provider. Report confirmed compromises to CISA at report@cisa.gov. FCEB agencies are required to report indicators immediately and rebuild affected infrastructure from patched images.

REFERENCES

1. CISA — Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems

https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems

2. CISA — Supplemental Direction ED 26-03: Hunt and Hardening Guidance

https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems

3. CISA — Guidance on Ongoing Global Exploitation of Cisco SD-WAN Systems

https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-and-partners-release-guidance-ongoing-global-exploitation-cisco-sd-wan-systems

4. Cisco Security Advisory — CVE-2026-20127

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

5. Cisco Security Advisory — CVE-2026-20129

https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sdwan-authbp-qwCX8D4v.html

6. Cisco Security Advisory — CVE-2026-20079

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-onprem-fmc-authbypass-5JPp45V2

7. Cisco Security Advisory — CVE-2026-20131

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh

8. The Hacker News — Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023

https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html

9. The Hacker News — Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities

https://thehackernews.com/2026/03/cisco-confirms-active-exploitation-of.html

10. eSentire — Maximum Severity Cisco Firewall Vulnerabilities Disclosed

https://www.esentire.com/security-advisories/maximum-severity-cisco-firewall-vulnerabilities-disclosed-cve-2026-20079-cve-2026-20131

Article by: Floripi Security Research

Published: March 13, 2026

This article is provided for informational purposes. Organizations should refer directly to official CISA directives and Cisco Security Advisories for authoritative remediation guidance.