Cisco is warning of a critical authentication bypass in its Catalyst SD-WAN Controller and Manager software, tracked as CVE-2026-20182 and carrying the maximum CVSS score of 10.0. Attackers have already weaponized the flaw as a zero-day, abusing a broken peering authentication mechanism to log in as a high-privileged internal account and reach NETCONF, where they can rewrite SD-WAN fabric configurations. CISA has added the bug to its Known Exploited Vulnerabilities Catalog with a federal remediation deadline of May 17, 2026. No full workaround exists, so patching is the only reliable fix.

What the vulnerability is

The root cause is an improperly implemented peering authentication mechanism in the affected Catalyst SD-WAN platforms. According to Cisco's advisory, "the peering authentication mechanism in an affected system is not working properly," and "an attacker could exploit this vulnerability by sending crafted requests to the affected system."

A successful exploit lets an unauthenticated, remote attacker authenticate as an internal, high-privileged, non-root account on a Cisco Catalyst SD-WAN Controller or Manager. From there, the attacker gains access to NETCONF, the protocol used to push device configuration, which opens the door to tampering with the entire SD-WAN fabric. Cisco's Catalyst SD-WAN is a software-defined networking stack that ties together branch sites, data centers, and cloud workloads through centralized control and encrypted tunnels — so control-plane access of this kind is effectively keys to the kingdom.

The flaw was published on May 14, 2026 (NVD, CVE.org).

How the attack works

Public technical write-ups describe the issue as a weakness in the control-connection handshake / peering authentication, allowing an unauthenticated remote attacker to slip past authentication and obtain high-privileged internal access. The attack pattern is straightforward in shape: the attacker sends crafted requests to the controller, and on success is treated as a trusted internal peer rather than an outside party.

The control-plane traffic targeted here rides over the SD-WAN vdaemon process on UDP/DTLS 12346. A publicly available proof-of-concept framework (Nxploited/CVE-2026-20182) implements the bypass against that service and includes a "fabric fallback" routine: on a TEAR_DOWN response or a parameter mismatch, it retries against alternate domain/site presets — (1,100), (1,1), and (0,0) — unless --no-fallback is supplied.

The same project distinguishes two operating modes: a non-intrusive check mode that only proves the bypass is reachable (described as reaching "tier 03 at best"), and a full mode that goes further to inject an SSH key and verify access (ssh_verified, "tier 01"). Note that an https:// entry in a target list is treated as a TCP web hint on 80/443 only — it is not the same as UDP DTLS, which is where the actual control-plane attack lands.

Detection and impact

Cisco says it caught threat actors exploiting CVE-2026-20182 in May but released few specifics about the campaigns. The indicators it shared point to attackers registering unauthorized "rogue devices" inside the SD-WAN environment. Because these rogue devices look like legitimate fabric members, they can be used to extend access deeper into the network and to manipulate traffic.

The vulnerability was found by Rapid7 researchers while they were investigating a separate Catalyst SD-WAN controller bug, CVE-2026-20127, which Cisco patched in February. That earlier flaw had reportedly been exploited since 2023 by a threat actor tracked as UAT-8616.

Proof of concept

The Nxploited framework is a Python 3 tool intended for authorized testing. It depends on OpenSSL being loadable at runtime — the tool exits at startup if it cannot find OpenSSL.

Install dependencies:


pip install -r requirements.txt

On Windows, point the tool at your OpenSSL install:


OPENSSL_HOME=C:\Program Files\OpenSSL-Win64

On Debian/Ubuntu, install the OpenSSL libraries and make them discoverable:


# Debian/Ubuntu
sudo apt install libssl3 openssl
export LD_LIBRARY_PATH=/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH

Run interactively — configure options 1–11, then choose 0 to launch the scan. The default run mode is the safe bypass probe (check):


python CVE-2026-20182.py

Run non-interactively (auto-confirm):


python CVE-2026-20182.py -y

Force the safe bypass-only probe explicitly:


python CVE-2026-20182.py -y --mode check

The full mode injects an SSH key and verifies the resulting access, and should only ever be pointed at systems you are explicitly authorized to test.

Detection and mitigation

Cisco has shipped fixed software and states there are no complete workarounds. Recommended actions:

  • Restrict access to the management interface so it is reachable only from trusted internal networks.
  • Review authentication logs for suspicious activity.
  • Inspect /var/log/auth.log for unauthorized SSH access attempts.
  • Monitor SD-WAN Controller logs for unauthorized peering events.
  • Audit controllers for unexpected configuration changes and unknown peer/control-plane connections.

Key indicator of compromise

Search authentication logs for successful public-key logins to the vmanage-admin account from unfamiliar hosts — for example log lines reading:


Accepted publickey for vmanage-admin

Cross-check the source IP addresses against the System IPs configured in the Catalyst SD-WAN Manager web interface. Any "Accepted publickey for vmanage-admin" event originating from an IP that is not a known, configured System IP is a strong sign of exploitation and warrants immediate investigation.

Bottom line

With a 10.0 CVSS rating, confirmed in-the-wild exploitation, a public PoC, and a CISA KEV deadline of May 17, 2026, CVE-2026-20182 should be treated as an emergency for any organization running Cisco Catalyst SD-WAN Controller or Manager. Apply Cisco's updates per the official advisory, lock down management-plane exposure, and hunt for rogue device registrations and anomalous vmanage-admin logins.