CISA has added CVE‑2026-20182 to its Known Exploited Vulnerabilities catalogue, affecting Cisco Catalyst SD‑WAN Controller and Manager products. The vulnerability, named the Cisco Catalyst SD‑WAN Controller Authentication Bypass Vulnerability, allows an unauthenticated remote attacker to bypass authentication and gain administrative privileges on an affected system.
The flaw is an authentication bypass in the SD‑WAN management interface that can be exploited over the network without prior credentials, leading to full administrative control. It carries a CVSS v3.1 base score of 10.0, rated CRITICAL. No patch or advisory is currently available from Cisco, and the patch status is listed as unknown.
Active exploitation has been confirmed, which is the basis for its inclusion in the KEV catalogue; there is no publicly known ransomware campaign leveraging this CVE at this time. CISA has set a remediation deadline of 17 May 2026 for federal civilian executive branch (FCEB) agencies to apply mitigations or otherwise address the exposure.
CISA’s required action is to adhere to its guidelines to assess exposure and mitigate risks associated with Cisco SD‑WAN devices as outlined in Emergency Directive 26‑03 and the Hunt & Hardening Guidance for Cisco SD‑WAN Systems. Agencies must also follow the applicable BOD 22‑01 guidance for cloud services or discontinue use of the product if mitigations cannot be applied. All organisations should review their Cisco SD‑WAN deployments for exposure and implement the recommended mitigations where possible.
For full technical details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-20182 and the CISA KEV catalogue.