Critical Cisco Catalyst SD-WAN Auth Bypass (CVE-2026-20182) Under Active Exploitation
CVE-2026-20182 is a critical authentication bypass in Cisco Catalyst SD-WAN Controller and Manager with a CVSS score of 10.0. CISA added it to the Known Exploited Vulnerabilities catalog on May 14, 2026 with a federal remediation deadline of May 17. Patches are available for every supported release, and Cisco has confirmed there are no workarounds. If you run Catalyst SD-WAN, upgrade now.
What is CVE-2026-20182?
CVE-2026-20182 is a flaw in the peering authentication mechanism used by Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). An unauthenticated, remote attacker can send crafted requests that log them in as a high-privileged, non-root internal account. From there, the attacker can access NETCONF and manipulate network configuration across the entire SD-WAN fabric.
The vulnerability was discovered during the investigation into CVE-2026-20127, a related authentication bypass disclosed in February 2026. Cisco credits Stephen Fewer and Jonah Burgess of Rapid7 for reporting it. The weakness type is CWE-287: Improper Authentication.
What products and versions are affected?
The vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager regardless of device configuration. According to Cisco's security advisory, all deployment models are affected:
- On-Prem Deployment
- Cisco SD-WAN Cloud-Pro
- Cisco SD-WAN Cloud (Cisco Managed) — patched by Cisco in release 20.15.506, no user action required
- Cisco SD-WAN for Government (FedRAMP)
How severe is it?
Cisco assigned CVE-2026-20182 a CVSS 3.1 base score of 10.0 with vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Exploitation requires no authentication, no user interaction, and only network access to the affected system. The scope-changed score reflects that a compromised Controller or Manager gives the attacker administrative reach across every device in the SD-WAN fabric, not just the local box.
Exploitation is confirmed. Cisco's Product Security Incident Response Team (PSIRT) has acknowledged limited exploitation in the wild, and Cisco Talos is tracking ongoing exploitation tied to a sophisticated threat actor cluster known as UAT-8616. CISA added the CVE to its KEV catalog on May 14, 2026 with an FCEB action deadline of May 17.
Are patches available?
Yes. Cisco has released fixed software for every supported release. There are no workarounds.
| Cisco Catalyst SD-WAN Release | First Fixed Release |
|---|---|
| Earlier than 20.9 | Migrate to a fixed release |
| 20.9 | 20.9.9.1 |
| 20.10 | 20.12.7.1 |
| 20.11 | 20.12.7.1 |
| 20.12 | 20.12.5.4, 20.12.6.2, or 20.12.7.1 |
| 20.13 | 20.15.5.2 |
| 20.14 | 20.15.5.2 |
| 20.15 | 20.15.4.4 or 20.15.5.2 |
| 20.16 | 20.18.2.2 |
| 20.18 | 20.18.2.2 |
| 26.1 | 26.1.1.1 |
Cisco SD-WAN Cloud (Cisco Managed) customers are already patched in release 20.15.506. Several older branches (20.11, 20.13, 20.14, 20.16) have reached end of software maintenance and require migration to a supported release.
What should you do right now?
- Capture forensic data before upgrading. Cisco recommends running the
request admin-techcommand on each control component in your SD-WAN deployment to preserve any indicators of compromise. Collect the admin-tech file first, then upgrade. - Patch immediately. Apply the fixed release for your branch from the table above. FCEB agencies have a May 17, 2026 deadline under CISA Emergency Directive 26-03; private-sector operators of internet-reachable Controllers should treat the same urgency as a floor.
- Plan migrations for end-of-maintenance branches. If you're running 20.11, 20.13, 20.14, 20.16, or anything earlier than 20.9, a point upgrade isn't an option. Schedule the migration to a supported release.
- Follow CISA's hunt and hardening guidance. The Supplemental Direction to ED 26-03 walks through assessing potential compromise on Catalyst SD-WAN systems and is worth reading even if you're not a federal agency.
How Halo Security can help
Halo Security's Server Scanning can automatically detect your internet-facing exposures, including affected Cisco Catalyst SD-WAN Controllers and Managers. That visibility lets your team move straight to patching instead of hunting through inventory spreadsheets to figure out where the affected systems live.
FAQ
Is CVE-2026-20182 being actively exploited?
Yes. Cisco PSIRT has confirmed limited exploitation in the wild, and Cisco Talos is tracking ongoing exploitation tied to a threat actor cluster known as UAT-8616. CISA added the CVE to its Known Exploited Vulnerabilities catalog on May 14, 2026.
Are there workarounds if we can't patch immediately?
No. Cisco's advisory explicitly states there are no workarounds. The only remediation is upgrading to a fixed software release. If you can't upgrade right away, restricting management plane reachability and reviewing access controls helps reduce exposure, but it does not address the underlying vulnerability.
What's the difference between CVE-2026-20182 and CVE-2026-20127?
Both are critical authentication bypass vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager, and both stem from broken peering authentication logic. CVE-2026-20127 was disclosed in February 2026. CVE-2026-20182 was discovered during the follow-up investigation and addresses a separate flaw in the control connection handshaking. They require separate patches.
How quickly do I need to patch?
If your Catalyst SD-WAN Controller or Manager is reachable from the internet, treat this as same-day urgency. CISA gave federal agencies a three-day window under Emergency Directive 26-03, and active exploitation is confirmed. For internally-deployed instances behind strict network controls, the timeline is more flexible but should still be measured in days, not weeks.
Will this affect Cisco-managed cloud customers?
Cisco has already patched Cisco SD-WAN Cloud (Cisco Managed) deployments in release 20.15.506. No customer action is required for that deployment type. On-Prem, Cloud-Pro, and FedRAMP customers must upgrade themselves.
Stay ahead of critical CVEs
When a new KEV addition like CVE-2026-20182 lands, the practitioners who recover fastest are the ones who already know where the affected technology lives on their attack surface. Halo Security's External Vulnerability Management makes that lookup take seconds, not days, so your team can focus on the work that actually closes the exposure.