Cisco warns that a critical Catalyst SD-WAN Controller bypass flaw, tracked as CVE-2026-20182, was actively exploited in a zero-day attack that allowed attackers to gain administrative privileges on compromised devices.
CVE-2026-20182 has a maximum severity of 10.0 and affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager in on-prem and SD-WAN Cloud deployments.
In an advisory published today, Cisco said the issue stems from a “malfunctioning” authentication mechanism.
“This vulnerability exists because the view authentication method on the affected system does not work properly. An attacker could exploit this vulnerability by sending obfuscated requests to the affected system,” reads Cisco advisory CVE-2026-20182.
“A successful exploit may allow an attacker to log into an affected Cisco Catalyst SD-WAN controller as an internal, highly privileged, non-root user account. Using this account, an attacker can access NETCONF, which then allows the attacker to manipulate the network configuration of the SD-WAN fabric.”
Cisco Catalyst SD-WAN is a software-based networking platform that connects branch offices, data centers, and cloud environments through a centrally managed system. It uses a controller to securely route traffic between sites over an encrypted connection.
The company said it had discovered malicious actors exploiting the flaw in May, but did not provide details about how it was exploited.
However, shared indicators of compromise (IOCs) alert administrators to monitor unauthorized viewing events in the SD-WAN controller log, which can indicate attempts to enroll rogue devices within the SD-WAN fabric.
By adding a rogue peer, an attacker can install a malicious device into a seemingly legitimate SD-WAN environment. That device may establish encrypted connections and advertise networks under the attacker’s control, potentially allowing them to penetrate deep into an organization’s network.
The flaw was discovered by Rapid7 while researching a Cisco SD-WAN controller vulnerability, tracked as CVE-2026-20127, which was patched in February.
CVE-2026-20127 was also exploited in a zero-day attack by a threat actor tracked as “UAT-8616” from 2023 to create malicious peers in organizations.
Cisco has released security updates to address the vulnerability and says there are no workarounds that fully mitigate the issue.
The company also recommends limiting access to SD-WAN management and flight control interfaces to trusted internal networks or authorized IP addresses only, and reviewing authentication logs for suspicious intrusion activity.
CISA added the Cisco CVE-2026-20182 flaw to the catalog of known vulnerabilities, ordering government agencies to patch affected devices by May 17, 2026.
Consensus indicators
Cisco encourages organizations to review logs from any Catalyst SD-WAN controller systems exposed to the Internet for events that may indicate unauthorized access or observation events.
The company says management should review /var/log/auth.log for entries showing “Accepted public key for vmanage-admin” for unknown IP addresses:
2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY]Administrators should compare the IP addresses in the log with the configured System IPs listed in the Cisco Catalyst SD-WAN Manager web UI, under WebUI > Devices > System IP.
If an unknown IP address is successfully authenticated, administrators should consider the device vulnerable and open a Cisco TAC case.
Cisco also recommends reviewing SD-WAN Controller logs for unauthorized viewing activity, as attackers may attempt to register rogue devices within the SD-WAN fabric.
Jul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanagepeer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005Cisco strongly recommends upgrading to a fixed software release, as this is the only way to fully fix CVE-2026-20182.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
