Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20182: Cisco Catalyst SD-WAN Auth Bypass Added to CISA KEV
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
Jun 05, 2026
SOCRadar® Cyber Intelligence Inc. | HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
Jun 04, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
Jun 03, 2026
SOCRadar® Cyber Intelligence Inc. | Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
May 29, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
May 15, 2026
5 Mins Read
Moon

CVE-2026-20182: Cisco Catalyst SD-WAN Auth Bypass Added to CISA KEV

Cisco has disclosed CVE-2026-20182, a critical authentication bypass affecting Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage).

The flaw is in the peering authentication / control-connection handshake process and can allow an unauthenticated remote attacker to bypass authentication and gain administrative privileges by authenticating as a high-privileged internal, non-root account. There are reports of active exploitation in the wild, and the vulnerability is reported as added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, making this a high-priority patching item.

This post covers what the bug is, what it means for SD-WAN environments, and what defenders should do now.

What Is CVE-2026-20182?

CVE-2026-20182 (CVSS 10.0) is an authentication bypass (CWE-287) in Cisco’s Catalyst SD-WAN control-plane components. Cisco describes the root issue as a peering authentication mechanism that does not work correctly, allowing an attacker to send crafted requests that bypass expected authentication checks during peering or control-connection establishment.

Details of CVE-2026-20182 (SOCRadar Vulnerability Intelligence)

Details of CVE-2026-20182 (SOCRadar Vulnerability Intelligence)

This is not a “weak password” case or a misconfiguration. It is a logic failure in how the system validates trust during the connection handshake, which is why it can be triggered remotely and without credentials.

Which Cisco Products Are Affected?

Cisco identifies the affected products as:

  • Cisco Catalyst SD-WAN Controller (formerly vSmart)
  • Cisco Catalyst SD-WAN Manager (formerly vManage)

Specific affected and fixed versions are published in Cisco’s advisory. For remediation decisions, rely on Cisco’s “fixed in” guidance for your exact release train.

How Does Exploitation Work, and What Access Does an Attacker Gain?

Exploitation is described as remote and unauthenticated. An attacker sends crafted requests that exploit the broken peering authentication or control-connection handshake logic.

If exploitation succeeds, the attacker can obtain administrative privileges by authenticating as a high-privileged internal, non-root account. While that is not root access by itself, it still carries high impact because SD-WAN controller and manager roles drive fabric orchestration.

In SD-WAN environments, “admin in the control plane” often means the ability to change policy, including how sites route traffic, which paths are preferred, and how segmentation is applied.

Why Does CVE-2026-20182 Matter So Much in SD-WAN Environments?

SD-WAN controllers and managers are high-leverage systems. With administrative access, an attacker may be able to:

  • Modify fabric configuration and policy to redirect, observe, or disrupt traffic flows
  • Change device enrollment, templates, or authentication posture across the environment
  • Use management-plane mechanisms to push broad changes across sites

In reporting tied to broader Cisco SD-WAN exploitation activity, post-compromise behaviors have included SSH key injection, NETCONF configuration manipulation, malicious account creation, and log clearing.

Some campaign context also suggests that actors may chain control-plane access with additional steps, such as a version-downgrade tactic to expose older flaws (for example CVE-2022-20775) to reach root, then restore versions to help conceal activity. That is not presented as a requirement to exploit CVE-2026-20182, but it matters when modeling worst-case outcomes.

Is CVE-2026-20182 Actively Exploited, and What Is the CISA KEV Context?

Yes. Cisco indicates limited active exploitation in the wild. The vulnerability has also been added to CISA’s KEV catalog on May 14, 2026. In accordance with this entry, CISA mandates that federal agencies complete remediation for the flaw prior to the May 17, 2026, enforcement date.

CISA KEV listing for CVE-2026-20182 

CISA KEV listing for CVE-2026-20182

Who Is Behind the Active Exploitation of CVE-2026-20182?

Active exploitation has been attributed to UAT-8616, a highly sophisticated threat actor tracked by Cisco Talos that has been targeting Cisco SD-WAN infrastructure since at least 2023 – previously exploiting a similar authentication bypass in the same component, CVE-2026-20127.

Strengthen Your Threat Intelligence with SOCRadar

Security teams managing complex network infrastructure need more than alerts; they need context. SOCRadar Cyber Threat Intelligence monitors threat actor activity, CVE developments, exploit maturity, Dark Web discussions, and emerging IOCs, helping your team prioritize what demands immediate action.

In parallel, SOCRadar Attack Surface Management (ASM) continuously tracks your internet-facing assets and exposed services, so vulnerabilities like this one do not catch you off guard.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

What Should Defenders Do Now to Reduce Risk?

Prioritize patching and treat this as an emergency change

Cisco states no workarounds are available, so the primary mitigation is to apply Cisco’s fixed software as described in the vendor advisory. For most organizations, that means prioritizing SD-WAN Manager and Controller upgrades ahead of normal upgrade cycles.

Treat management-plane exposure as high impact

If SD-WAN management components are reachable from untrusted networks, reduce exposure as part of the response plan. Even if systems are not internet-facing, review internal routes and lateral movement paths that could allow an attacker to reach these services.

Perform compromise assessment before and after the upgrade

Cisco’s guidance includes an Indicators of Compromise section and operational checks (including “Show Control Connections” guidance). Cisco also describes a workflow that includes engaging TAC and uploading admin-tech bundles for scanning. If those checks return clean, Cisco’s stated guidance indicates no further action beyond upgrading is required.

Hunt for high-signal post-compromise behaviors

Given the privilege level and SD-WAN’s role, focus reviews on:

  • Unexpected admin user creation or privilege changes
  • SSH authorized_keys changes and newly added keys
  • NETCONF-related configuration changes where applicable
  • Signs of log clearing or unexplained logging gaps around suspected access times