Cisco warns of critical SD-WAN flaw exploited in zero-day attacks

At a glance:

• Cisco has disclosed CVE-2026-20182, a critical authentication bypass flaw in Catalyst SD-WAN Controller and Manager with a CVSS score of 10.0 that was actively exploited in zero-day attacks.
• The flaw allows attackers to gain administrative privileges and manipulate network configuration for the entire SD-WAN fabric by inserting rogue devices.
• CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to patch by May 17, 2026; Rapid7 discovered the issue while researching a related flaw, CVE-2026-20127, that has been exploited since 2023 by threat actor UAT-8616.

The vulnerability and how it works

Cisco is warning that a critical flaw in its Catalyst SD-WAN Controller, tracked as CVE-2026-20182, has been actively exploited in the wild. The vulnerability carries a maximum severity rating of 10.0 on the CVSS scale and impacts both Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager in on-premises and SD-WAN Cloud deployments. According to the advisory published by Cisco, the issue stems from a peering authentication mechanism that "is not working properly."

The advisory states: "An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric."

Cisco Catalyst SD-WAN is a software-based networking platform that connects branch offices, data centers, and cloud environments through a centrally managed system. It uses a controller to securely route traffic between sites over encrypted connections, making it a cornerstone of enterprise wide-area networking for thousands of organizations. An attacker who compromises the controller can therefore reach deep into the network fabric.

Active exploitation and threat actor history

Cisco says it detected threat actors exploiting CVE-2026-20182 in May, but has not shared details about the specific attack chain. The company did share indicators of compromise that admins can use to check for unauthorized peering events in SD-WAN Controller logs, which could indicate attempts to register rogue devices within the SD-WAN fabric.

The technique is well-established. By adding a rogue peer, an attacker can insert a malicious device into the SD-WAN environment that appears legitimate. That device can then establish encrypted connections and advertise networks under the attacker's control, potentially allowing them to move deeper into an organization's network. This mirrors a pattern seen in CVE-2026-20127, a related vulnerability that was fixed in February 2026.

CVE-2026-20127 was also exploited in zero-day attacks by a threat actor tracked as "UAT-8616" since 2023, and was used to create rogue peers in target organizations. The discovery of CVE-2026-20182 by Rapid7 came while the security firm was researching CVE-2026-20127, suggesting that attackers may be methodically probing the same attack surface.

Indicators of compromise and detection steps

Cisco is urging organizations to review logs from any internet-exposed Catalyst SD-WAN Controller systems for events that may indicate unauthorized access or peering events. The company points admins to specific log entries they should check:

• Review /var/log/auth.log for entries showing "Accepted publickey for vmanage-admin" from unknown IP addresses, for example: 2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY]
• Compare IP addresses in logs with the configured System IPs listed in the Cisco Catalyst SD-WAN Manager web UI, under WebUI > Devices > System IP.
• Review SD-WAN Controller logs for unauthorized peering activity, such as: Jul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanagepeer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005

If an unknown IP address successfully authenticated, Cisco recommends treating the device as compromised and opening a Cisco TAC case immediately.

Remediation and CISA action

Cisco has released security updates to address CVE-2026-20182 and says there are no workarounds that fully mitigate the issue. The company strongly recommends upgrading to a fixed software release as the only way to fully remediate the vulnerability. In the interim, Cisco advises restricting access to SD-WAN management and control-plane interfaces to trusted internal networks or to authorized IP addresses only, and reviewing authentication logs for suspicious login activity.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20182 to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to patch affected devices by May 17, 2026. This is a significant escalation, as inclusion in the KEV catalog triggers mandatory remediation deadlines for government networks and typically signals that active exploitation is widespread enough to warrant urgent action.

What organizations should do next

Organizations running Cisco Catalyst SD-WAN Controller or Manager — whether in on-premises deployments or in the SD-WAN Cloud — should treat this as an immediate priority. The combination of a CVSS 10.0 score, confirmed active exploitation, and a CISA patch deadline gives the vulnerability the highest possible urgency rating. Admins should audit their environments for the IOC patterns Cisco provided, apply the available security updates as soon as possible, and restrict management-plane access to known trusted networks.

The discovery chain — Rapid7 finding CVE-2026-20182 while investigating CVE-2026-20127, which has been exploited since 2023 — raises questions about whether other related flaws remain undiscovered. Organizations should also review their incident-response plans for SD-WAN compromise scenarios, given that a rogue peer can appear fully legitimate within the fabric and move laterally using encrypted tunnels.

Why it matters for enterprise networking

The exposure of a critical authentication bypass in a platform that underpins branch-office connectivity, data-center interconnects, and cloud-to-cloud traffic routing has broad implications. Cisco Catalyst SD-WAN is widely deployed across mid-market and enterprise environments, and an attacker who can manipulate the SD-WAN fabric can redirect, intercept, or disrupt traffic across an entire organization. The fact that the flaw involves peering authentication — a mechanism meant to verify that only authorized devices join the overlay network — makes the attack particularly stealthy, because compromised devices inherit the trust relationships of the legitimate fabric.

For security teams, this incident underscores the importance of monitoring control-plane logs and treating any unauthorized peering event as a potential breach indicator. It also highlights the risk surface of centrally managed networking platforms, where a single compromised controller can grant an attacker control over the entire wide-area network.