Cisco says hackers have been exploiting a critical flaw to break into the networks of large customers since 2023

Hackers have been exploiting a flaw in a popular networking product used by large enterprises for at least three years, Cisco said, prompting the US government and its allies to urge organizations to take action.

The vulnerability, with a maximum vulnerability score of 10.0, allows hackers to remotely break into networks running Catalyst SD-WAN products, which allow large companies and government agencies with multiple offices to connect their private networks over long distances.

By exploiting this bug online, hackers can gain the highest level of permissions for these devices and maintain persistent hidden access within the victim’s network, allowing them to spy or steal data over a long period of time.

Cisco said that after discovering the vulnerability, its researchers traced evidence of exploitation back to 2023. Some of the affected organizations are said to be critical infrastructure. The company did not provide details, but the phrase “critical infrastructure” could refer to everything from power grids and water supplies to the transportation sector.

Several governments, including Australia, Canada, New Zealand, the United Kingdom and the United States, warned in an alert that threat actors are targeting organizations “globally.”

The US cybersecurity agency CISA ordered all civilian federal agencies to patch their systems by the end of Friday, citing an imminent threat and unacceptable risks to the federal government. The federal cybersecurity agency, which is currently operating at reduced capacity due to the partial government shutdown, said it is aware of the ongoing exploit.

Neither Cisco nor the governments attributed the attacks to a specific threat group or nation-state, if known, but traced one set of activity to the name UAT-8616.

In December, Cisco warned that a vulnerability with a similar rating of 10.0 existed in the Async software that runs most of its products, which had been actively used to hack into its customers’ networks.