Cisco warns: critical SD‑WAN auth bypass exploited

Cisco disclosed a maximum-severity authentication bypass in its Catalyst SD‑WAN products in mid‑May 2026 and said the bug has been exploited in the wild. Cisco published a security advisory and pushed fixes after internal monitoring and customer reports flagged suspicious administrative activity.

The flaw, tracked as CVE‑2026‑20182, affects the Catalyst SD‑WAN Controller and Catalyst SD‑WAN Manager platforms, previously known as vSmart and vManage. Cisco said an attacker can send crafted control‑connection requests to bypass peering authentication and establish a trusted administrative session.

Cisco and researchers gave the bug a maximum CVSS score of 10.0 and described it as configuration‑independent — meaning vulnerable systems remain exposed regardless of site settings. The company also warned there are no workarounds that fully mitigate the issue, and urged customers to apply the fixed releases immediately.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026‑20182 to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal civilian agencies to remediate the issue on an urgent timetable. CISA’s action set a federal deadline of May 17, 2026 for applying the required patches.

Cisco said it became aware of “limited exploitation” of the vulnerability in May and attributed active campaigns to threat clusters it tracks. Outside responders and security vendors warn that the same actors have reused SD‑WAN attack techniques seen earlier in 2026.

A successful exploit can let an attacker log in as a high‑privileged, non‑root internal account and then access NETCONF interfaces to change routing and security policies across the SD‑WAN fabric. That capability can let an intruder reroute traffic, add rogue peers, or create persistent access.

Cisco, Rapid7 and other responders published lists of fixed software releases and operational guidance. The vendor identifies patched versions across multiple release trains and offers commands administrators should run to list and validate control peering relationships. Organizations are being advised to upgrade to a fixed release as their primary remediation.

Security incident responders and managed detection teams say defenders should assume compromise is possible if controllers were reachable before patching. Recommended steps include isolating affected controllers, collecting diagnostics, verifying peer config and routing tables, and engaging Cisco Technical Assistance for forensics.

The disclosure follows an earlier February 2026 authentication‑bypass (CVE‑2026‑20127) that was also exploited in the wild, underscoring a months‑long focus by adversaries on SD‑WAN control planes. Vendors and national CERTs have repeatedly warned that SD‑WAN control channels are a high‑value target because they govern network‑wide configuration.

Because the flaw targets control‑plane authentication, the operational impact can be fast and broad: compromised controllers can push configuration changes that propagate to many edge devices, amplifying risk for large enterprises and service providers. Security teams should prioritize controllers in patch cycles even when doing disruptive maintenance is difficult.

Several security vendors posted detection and hunting guidance, including indicators of suspicious control‑peering activity and sample queries to find anomalous NETCONF sessions. Teams should combine patching with active hunts for unusual peers and unexpected configuration diffs to catch follow‑on compromise.

The researchers credited by Cisco for discovering the bug called for immediate upgrades and noted there are no viable workarounds that remove exposure. For network operators, the immediate priorities are: apply vendor patches, verify control relationships, look for unauthorized peers, and coordinate incident response if unexpected changes are found.