CVE- 2026-20182 is a critical authentication bypass affecting Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage), with the flaw residing in the peering authentication and control-connection handshake. Exploitation is described as remote and unauthenticated, allowing an attacker to obtain administrative privileges by authenticating as a high-privileged internal, non-root account.
There are reports of active exploitation in the wild, and the vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, with enforcement for federal agencies set around 17 May 2026. Cisco identifies the affected products and directs reliance on its advisory for fixed, version-specific guidance, noting that Cisco states there are no workarounds available and upgrades to fixed software are essential.
According to Cisco Talos, active exploitation has been observed and a threat actor known as UAT-8616 has been associated with targeting Cisco SD-WAN infrastructure since 2023. Defenders are advised to prioritise patching, treat management-plane exposure as high impact, and perform compromise assessment before and after upgrades.