Vulnerability intelligence

CVE-2026-20182

Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks. A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system.

CVSS Score

Critical

EPSS — Exploit Probability

84%

Riskier than 99% of all CVEs

Exploitation

Confirmed in the wild

Used in ransomware campaigns

Remediation

Patch available

Federal deadline 2026-05-17

CISA required action

Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlined in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. Deadline for federal agencies: 2026-05-17.

NVD entry Vendor patch PoC / advisory CISA KEV

9 articles across 7 outlets · first covered May 14, 2026 · latest May 18, 2026

Associated threat actors

UAT-8616

Coverage timeline

Microsoft Exchange zero day bug exploited in the wild
thehackernews.com · May 18, 2026
CVE-2026-20182 Cisco SD WAN flaw grants remote admin access
socradar.io · May 15, 2026
Cisco patches SDWAN zero day CVE-2026-20182 exploited by UAT8616
www.securityweek.com · May 15, 2026
CISA warns of Cisco Catalyst SDWAN flaw amid active exploitation
thehackernews.com · May 15, 2026
Cisco SD WAN flaw lets attackers seize control, patch urged
www.darkreading.com · May 14, 2026
U.S. CISA adds a flaw in Cisco Catalyst SD-WAN to its Known Exploited Vulnerabilities catalog
securityaffairs.com · May 14, 2026
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access
thehackernews.com · May 14, 2026
Cisco SD WAN authentication bypass lets attackers gain admin access
www.cisa.gov · May 14, 2026
CVE-2026-20182 Flaw in Cisco SDWAN Lets
cisa.gov · May 14, 2026

Related CVEs — Cisco

CVE-2026-20245KEV CVE-2026-20131KEV CVE-2026-20127KEV CVE-2025-20333KEV CVE-2025-20362KEV CVE-2026-20133KEV CVE-2026-20122KEV CVE-2026-20128KEV