Cisco SD-WAN Zero-Day CVE-2026-20182 Exploited in Active Attacks

Cisco is alerting organizations to a critical authentication bypass vulnerability in its Catalyst SD-WAN Controller and Manager platforms. Tracked as CVE-2026-20182 with a maximum severity rating of 10.0, this flaw has been actively exploited in zero-day attacks to grant attackers administrative access.

The Vulnerability

The issue stems from improper implementation of the peering authentication mechanism. As Cisco explains in their advisory, "An attacker could exploit this vulnerability by sending crafted requests to the affected system." A successful exploitation enables attackers to authenticate as a high-privileged internal account and access NETCONF, allowing manipulation of SD-WAN fabric configurations.

Cisco Catalyst SD-WAN is a software-defined networking platform connecting branch offices, data centers, and cloud environments through centralized management and encrypted connections.

Detection and Impact

The company detected threat actors exploiting this vulnerability in May but provided limited exploitation details. However, indicators of compromise suggest attackers register unauthorized "rogue devices" within the SD-WAN environment, creating legitimate-appearing devices that could enable deeper network penetration and traffic manipulation.

Discovery and Related Flaws

Rapid7 researchers discovered this vulnerability while investigating CVE-2026-20127, a separate SD-WAN controller flaw patched in February. That earlier vulnerability was exploited since 2023 by a threat actor designated "UAT-8616."

Remediation and Recommendations

Cisco has released security updates addressing the flaw, with no complete workarounds available. The company recommends:

Restricting management interface access to trusted internal networks
Reviewing authentication logs for suspicious activity
Examining /var/log/auth.log for unauthorized SSH access attempts
Monitoring SD-WAN Controller logs for unauthorized peering events

CISA has added CVE-2026-20182 to its Known Exploited Vulnerabilities Catalog, mandating federal agency patching by May 17, 2026.

Indicators of Compromise

Organizations should search logs for entries showing "Accepted publickey for vmanage-admin" from unknown IP addresses, comparing these against configured System IPs listed in the Catalyst SD-WAN Manager web interface.