Cisco SD‑WAN zero-day exploited

Cisco disclosed a critical authentication-bypass vulnerability in its Catalyst SD-WAN Controller on May 14 and said the flaw had been exploited in the wild. The bug, tracked as CVE-2026-20182, affects Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, according to the company’s security advisory. (sec.cloudapps.cisco.com) Cisco said the flaw could allow an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on an affected system. The company said no workaround was available and directed customers to software updates and a separate remediation guide. ### Which Cisco products are affected, exactly? (cisa.gov) Cisco said CVE-2026-20182 sits in the peering authentication used by Catalyst SD-WAN Controller and Catalyst SD-WAN Manager. The company said the vulnerability exists because the peering authentication mechanism does not sufficiently validate the authenticity of an established connection. The May 14 advisory said successful exploitation could let an attacker bypass authentication and obtain administrative privileges. Cisco assigned the issue a CVSS 3.1 base score of 10.0, the highest severity rating on that scale. (sec.cloudapps.cisco.com) ### How is this different from Cisco’s earlier SD-WAN flaw in February? Cisco said the May 2026 advisory covers “a new vulnerability in the control connection handshaking” that was discovered and fixed after the company disclosed a separate authentication-bypass flaw in February 2026. That earlier issue was tracked as CVE-2026-20127 and also affected Catalyst SD-WAN Controller and SD-WAN Manager. (sec.cloudapps.cisco.com) Cisco’s SD-WAN advisories page shows both items separately: the earlier controller authentication-bypass advisory, last updated on March 3, and the new controller authentication-bypass advisory published on May 14. That means customers that addressed the February issue still need to review the newer advisory and fixed versions tied to CVE-2026-20182. (sec.cloudapps.cisco.com) ### What has Cisco said about active exploitation? Cisco Talos said on May 14 that it was tracking active exploitation of CVE-2026-20182. Talos described the activity as exploitation of an authentication-bypass vulnerability in Catalyst SD-WAN Controller and Catalyst SD-WAN Manager. (sec.cloudapps.cisco.com) Cisco’s security advisory said the flaw was “discovered and fixed” after the February disclosure, and the Talos post said the company had observed exploitation. The advisory also includes indicators of compromise and “Show Control Connections” guidance to help customers check their systems. ### What does CISA’s KEV listing change for defenders? (cisco.com) CISA said on May 14 that it added CVE-2026-20182 to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The agency said the catalog is intended to help organizations prioritize vulnerabilities that are being used in the wild. (blog.talosintelligence.com) The KEV entry matters especially for U.S. federal civilian agencies because Binding Operational Directive 22-01 requires them to remediate cataloged vulnerabilities by the due date listed by CISA. CISA’s alert on the new entry identified CVE-2026-20182 as the added vulnerability. ### If there is no workaround, what are customers supposed to do now? (sec.cloudapps.cisco.com) Cisco said no workaround was available for CVE-2026-20182 and told customers to upgrade to fixed software versions. The company’s May 14 remediation document lays out a workflow that starts with collecting admin-tech files from all control components, then upgrading to a fixed release, then opening a TAC case and uploading files for scanning. (cisa.gov) Cisco’s remediation guide also gives manual verification steps for customers that cannot collect admin-tech files. Those checks include reviewing authentication logs for unauthorized SSH logins, checking controller syslogs for unauthorized peer connections, and looking for missing challenge acknowledgments on active control connections. (cisa.gov) ### What should readers watch next? Cisco’s support page dated May 14 lists fixed software versions and directs customers to Technical Assistance Center follow-up if compromise is identified. Cisco’s SD-WAN advisory index also shows the May 14 controller advisory as the current reference point for this flaw. (sec.cloudapps.cisco.com) CISA’s KEV catalog and Cisco’s security advisory pages are the two places likely to show the next concrete updates, whether that is a revised remediation deadline for federal agencies, new indicators of compromise, or additional fixed releases. (cisa.gov) (cisco.com)