Image Credits:Diesmer Ponstein (opens in a new window) / Flickr (opens in a new window) under a CC BY 2.0 (opens in a new window) license.

Cisco says hackers have been exploiting a bug in one of its popular networking products used by large enterprises for at least three years, prompting the U.S. government and its allies to urge organizations to take action.

The bug, which has a maximum-rated vulnerability severity score of 10.0, allows hackers to remotely break into networks running its Catalyst SD-WAN products, which allow large companies and government agencies with multiple offices to connect their private networks over long distances.

By exploiting this bug over the internet, hackers can gain the highest level of permissions to these devices and maintain persistent hidden access inside a victim’s network, allowing them to spy or steal data over a long period of time.

Cisco said after discovering the bug, its researchers traced evidence of exploitation as far back as 2023. Some of the affected organizations are said to be critical infrastructure. The company did not provide specifics, but “critical infrastructure” can refer to everything from power grids and water supply to the transportation sector.

Several governments, including Australia, Canada, New Zealand, the United Kingdom, and the United States, warned in an alert that threat actors are targeting organizations “globally.”

U.S. cybersecurity agency CISA ordered all civilian federal agencies to patch their systems by end-of-day Friday, citing an imminent threat and unacceptable risk to the federal government. The federal cybersecurity agency, which is currently running at reduced capacity due to a partial government shutdown, said it was aware of ongoing exploitation.

Neither Cisco nor the governments attributed the attacks to a specific threat group or nation state, if known, but tracked one cluster of activity as UAT-8616.

In December, Cisco warned of a similarly rated 10.0 vulnerability in the Async software that runs most of its products, which was being actively used to hack into its customer networks.