CISCO has released patches for another SD-WAN zero-day, the sixth to be exploited in 2026, tracked as CVE-2026-20182. The flaw is described as an authentication bypass that could let a remote attacker gain admin privileges via specially crafted packets and affects the peering authentication mechanism in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager.
Cisco said it became aware of active exploitation in May, with Talos researchers noting that CVE-2026-20182 appears to have been exploited in limited attacks by a threat actor it tracks as UAT-8616. The same actor previously exploited CVE-2026-20127 to gain unauthorised access to SD-WAN systems. Rapid7 has been credited for reporting CVE-2026-20182 to Cisco, and Cisco has made IoCs available to help detect potential attacks. The KEV catalogue now lists CVE-2026-20182 among 15 Cisco SD-WAN vulnerabilities, with five discovered this year.