Cisco SD-WAN Zero-Day Exploited Since May—CVSS 10.0
CVE-2026-20182 allows unauthenticated attackers to inject rogue peers into Cisco SD-WAN fabrics. Active exploitation since May; no workaround available—patch immediately.
Cisco disclosed a maximum-severity authentication bypass in its Catalyst SD-WAN Controller that attackers have been exploiting since at least May 2026. There's no workaround—organizations must patch or face rogue devices injecting into their network fabric.
CVE-2026-20182 scores CVSS 10.0, the highest possible rating. The flaw stems from a faulty peering authentication mechanism that allows unauthenticated remote attackers to send crafted requests and gain access as a high-privileged user. From there, attackers can manipulate SD-WAN configurations via NETCONF and inject attacker-controlled network routes.
Active Exploitation Timeline
Threat actors began exploiting CVE-2026-20182 in May 2026, according to Cisco's advisory. The activity overlaps with earlier exploitation of a related zero-day, CVE-2026-20127, which Rapid7 discovered in February and attributed to a threat actor tracked as UAT-8616.
The attack pattern involves injecting rogue peer devices into the SD-WAN environment. Once established, these malicious peers create encrypted connections and advertise attacker-controlled networks, enabling lateral movement across the WAN fabric. In enterprise deployments spanning multiple sites, a compromised controller can redirect traffic through attacker infrastructure—enabling interception, manipulation, or disruption of inter-site communications.
Affected Products
The vulnerability affects both on-premises and cloud deployments of:
- Cisco Catalyst SD-WAN Controller
- Cisco Catalyst SD-WAN Manager
Cisco has released patched software addressing the flaw. No configuration changes or workarounds can mitigate the issue—upgrading is the only remediation path.
Why SD-WAN Controllers Are High-Value Targets
SD-WAN controllers orchestrate routing policy across geographically distributed networks. Compromising the controller grants attackers influence over traffic flows that traditional edge-focused attacks cannot achieve. An attacker who controls routing can redirect sensitive traffic to interception points, inject malicious responses, or create denial-of-service conditions affecting entire regions.
This architectural position makes SD-WAN controllers attractive to nation-state actors and sophisticated criminal groups alike. The UAT-8616 threat actor linked to CVE-2026-20127 exploitation has not been publicly attributed, but the targeting pattern—enterprise WAN infrastructure—aligns with espionage and pre-positioning objectives.
CISA Mandate
CISA mandated federal agencies patch affected Cisco SD-WAN devices by May 17, 2026, adding CVE-2026-20182 to the Known Exploited Vulnerabilities catalog. Private-sector organizations should treat the federal deadline as a benchmark for their own patching urgency.
The timing creates complications: organizations that missed the May deadline are now operating vulnerable infrastructure that attackers have been targeting for over two months. Post-patch forensics become essential—simply updating doesn't remove persistence mechanisms or rogue peer configurations established during the exploitation window.
Hunting for Compromise
Cisco recommends reviewing /var/log/auth.log for suspicious "vmanage-admin" authentication entries that could indicate unauthorized access. Additionally:
- Audit SD-WAN Controller logs for unauthorized peering events
- Verify all configured peers against known-good inventory
- Restrict management access to trusted networks
- Check for configuration changes made outside documented change windows
For organizations with mature detection capabilities, behavioral anomalies in NETCONF traffic or unexpected BGP/OSPF adjacencies originating from SD-WAN infrastructure warrant immediate investigation.
Broader Context
This marks Cisco's second critical SD-WAN vulnerability under active exploitation this year. We covered CVE-2026-20230, a related SSRF in Cisco Unified Communications Manager, last week—attackers used that flaw to deploy webshells across voice infrastructure.
The pattern suggests threat actors are systematically probing Cisco's network infrastructure product lines for authentication and access control weaknesses. Organizations running Cisco SD-WAN should review their exposure posture and ensure monitoring covers both the management plane and the underlying Linux hosts these controllers run on.
Related Articles
Second Cisco SD-WAN Zero-Day Hits CISA KEV in Two Weeks
CVE-2026-20262 joins CVE-2026-20245 on CISA's exploited vulnerabilities list. Attackers deploy malicious .war files via path traversal to gain root access on Catalyst SD-WAN Manager.
Jun 17, 2026Cisco SD-WAN Zero-Day Exploited for Root Access — No Patch
CVE-2026-20245 lets attackers with netadmin credentials execute arbitrary commands as root on Cisco Catalyst SD-WAN Manager. Active exploitation confirmed, no fix available yet.
Jun 6, 2026Cisco SD-WAN CVSS 10 Flaw Under Active Attack — Patch Now
CVE-2026-20182 lets unauthenticated attackers gain admin access to Cisco Catalyst SD-WAN controllers. CISA adds to KEV with federal deadline. Here's what you need to know.
May 29, 2026Cisco SD-WAN Auth Bypass Hits CVSS 10.0, CISA Sets May 17 Deadline
CVE-2026-20182 allows unauthenticated attackers to gain admin access to Cisco Catalyst SD-WAN controllers. CISA added it to the KEV catalog after confirmed exploitation.
May 15, 2026