Cisco Warns of Critical SD-WAN Flaw Actively Exploited in Zero-Days

Cisco has issued an advisory about a severe authentication bypass vulnerability, identified as CVE-2026-20182, that threat actors have leveraged in zero-day attacks to obtain administrative access on targeted systems.

The flaw carries the highest possible CVSS score of 10.0 and affects both the Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager across on-prem installations as well as SD-WAN Cloud environments. According to the company, the root cause lies in a peering authentication mechanism "that is not working properly." The advisory explains that an attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful compromise reportedly lets the intruder authenticate to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user. From there, the attacker could reach NETCONF functions and alter network settings across the SD-WAN fabric.

Cisco Catalyst SD-WAN functions as a software-defined platform designed to link branch offices, data centers, and cloud resources under centralized management, directing traffic between locations over encrypted tunnels.

The vendor reportedly identified exploitation attempts during May without disclosing specific attack techniques. Indicators of compromise direct administrators to scan SD-WAN Controller logs for signs of unauthorized peering events that might reflect efforts to onboard rogue devices into the fabric. Such rogue peers could enable insertion of attacker-controlled hardware that mimics legitimate nodes, allowing encrypted links and the advertisement of malicious networks to facilitate lateral movement.

Security researchers at Rapid7 uncovered the issue while investigating a separate Cisco SD-WAN controller vulnerability, tracked as CVE-2026-20127, which received a patch in February. That earlier flaw had also been exploited in zero-day operations by a group designated "UAT-8616" since 2023 for the purpose of establishing rogue peers inside victim environments.

Cisco has issued updated software releases that resolve CVE-2026-20182 and stated there are no workarounds capable of completely eliminating the risk. The vendor further advises limiting exposure of SD-WAN management and control-plane interfaces exclusively to trusted internal networks or approved IP ranges, along with routine inspection of authentication logs for anomalous activity.

CISA has placed the Cisco CVE-2026-20182 flaw on its Known Exploited Vulnerabilities Catalog, directing federal agencies to apply fixes no later than May 17, 2026.

Cisco additionally urges organizations with internet-facing Catalyst SD-WAN Controllers to examine logs for evidence of suspicious access or peering attempts, including entries in /var/log/auth.log that contain "Accepted publickey for vmanage-admin" originating from unfamiliar addresses. Any such IP should be cross-checked against authorized System IPs shown in the Cisco Catalyst SD-WAN Manager interface under WebUI > Devices > System IP; mismatched successful logins warrant treating the system as breached and contacting Cisco TAC.