Cisco SD-WAN CVE-2026-20182: Exploited Auth Bypass Gets CVSS 10

by Emma Davis
May 20, 2026

Cisco says CVE-2026-20182 is being exploited against Catalyst SD-WAN Controller and Manager. The CVSS 10 flaw can let a remote attacker gain high-privileged access and manipulate SD-WAN fabric configuration.

Cisco has warned that CVE-2026-20182, a CVSS 10 authentication bypass in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager, has seen limited exploitation in the wild.[1] CISA added the flaw to its Known Exploited Vulnerabilities catalog on May 14, 2026, with a federal remediation due date of May 17, 2026.[2]

The bug affects peering authentication in Catalyst SD-WAN control components. Cisco says an unauthenticated remote attacker can send crafted requests to an affected system, log in as an internal high-privileged non-root account, access NETCONF, and manipulate SD-WAN fabric configuration.[1] That combination makes this more serious than a routine management-plane flaw: an attacker may not need valid user credentials to start changing how the network fabric behaves.

Cartoon showing a rogue peer slipping into an SD-WAN controller and admins patching CVE-2026-20182 while checking logs
The side door was polite enough to leave log entries.

Cisco says the vulnerability affects Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager regardless of configuration and across deployment types, including on-prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud managed deployments, and Cisco SD-WAN for Government.[1] The company also states there are no workarounds, so the practical response is to collect evidence first, then upgrade to a fixed release as soon as possible.[1]

This belongs in the same risk family as other edge and management-plane incidents we have covered recently, including Palo Alto PAN-OS exploitation, Ivanti EPMM zero-day attacks, and the older Cisco phone adapter vulnerability. The recurring pattern is simple: devices that broker access or routing decisions become high-value targets when exposed or weakly segmented.

What Cisco SD-WAN admins should do

Environment Recommended response
No Catalyst SD-WAN Controller or Manager No direct action for CVE-2026-20182, but confirm that managed service or partner infrastructure is not running affected control components for your organization.
Internet-exposed control components Treat as highest priority. Collect admin-tech files before upgrading, then patch and review peering and authentication logs.
Cloud-managed Cisco SD-WAN Cisco says SD-WAN Cloud managed release 20.15.506 addresses the flaw and no user action is required, but customers should verify remediation status through the service GUI.[1]
Unclear version or topology Inventory Catalyst SD-WAN Controller and Manager versions, exposed ports, control connections, peer system IPs, and whether control components are reachable from untrusted networks.

Fixed releases vary by train. Cisco lists 20.9.9.1 for the 20.9 train, 20.12.7.1 for 20.10 and 20.11, several fixed builds for 20.12, 20.15.5.2 for 20.13 and 20.14, 20.15.4.4 or 20.15.5.2 for 20.15, 20.18.2.2 for 20.16 and 20.18, and 26.1.1.1 for 26.1.[1] Older trains that have reached end of software maintenance should be moved to a supported fixed release rather than treated as long-term exceptions.

For triage, Cisco explicitly tells customers to preserve possible indicators of compromise by running request admin-tech from each SD-WAN control component before upgrading.[1] Administrators should also check auth.log for vmanage-admin logins from unknown or unauthorized IP addresses and validate peering events against normal maintenance windows, authorized IP ranges, expected peer types, and documented system IP assignments.[1]

CISA’s KEV entry raises the priority because exploitation is no longer hypothetical. If a system shows suspicious peer events, unexpected vmanage-admin access, or unknown control connections, open a Cisco TAC case with CVE-2026-20182 in the title and preserve logs before making cleanup changes. Patch first, but do not erase the evidence that would show whether the SD-WAN fabric was already touched.

References

  1. Cisco. “Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability.” Cisco Security Advisory, May 14, 2026. https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sdwan-rpa2-v69WY2SW.html
  2. Cybersecurity and Infrastructure Security Agency. “CVE-2026-20182: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability.” Known Exploited Vulnerabilities Catalog, added May 14, 2026. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  3. Sergiu Gatlan. “Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks.” BleepingComputer, May 14, 2026. https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-critical-sd-wan-flaw-exploited-in-zero-day-attacks/

Related edge-device risk: SonicWall Gen6 SSL-VPN admins should also review the newer CVE-2024-12802 MFA bypass guidance, because incomplete remediation can leave VPN access exposed even when MFA appears enabled.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment