CISCO has released updates to fix a maximum-severity authentication bypass in the Catalyst SD-WAN Controller, which has been exploited in limited attacks. According to Rapid7, which discovered CVE-2026-20182, the flaw stems from a malfunction in the peering authentication mechanism and could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on affected systems.
A successful exploit could let the attacker log in as an internal, high-privileged, non-root user and then access NETCONF to manipulate SD-WAN network configuration. The vulnerability, tracked as CVE-2026-20182 with a CVSS of 10.0, affects On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud, and Cisco SD-WAN for Government (FedRAMP).
Cisco notes that there has been limited exploitation, and advises applying the latest updates promptly, while also urging customers to audit the '/var/log/auth[.]log' for suspicious publickey login entries from unknown IP addresses.