Cisco SD-WAN CVE-2026-20182 Exploitation, Patching, and KEV Response

**CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administrative privileges** and SD-WAN configuration tampering. Cisco said it detected exploitation in **May** and released **security updates** to fully remediate the issue. CISA added the flaw to the **Known Exploited Vulnerabilities Catalog**, setting a **May 17, 2026** patch deadline for federal agencies.

**Cisco** confirmed **active exploitation** of **two recently patched Catalyst SD-WAN vulnerabilities**, creating immediate risk for exposed systems that have not been fully remediated. The affected flaws are **CVE-2026-20128** and **CVE-2026-20122**. Cisco said the attacks appear to involve **chaining with other flaws**, which can increase the chance of privilege escalation and deeper system compromise. The company also said it is **unclear whether the exploits are part of the same campaign** or separate operations.

**CISA** added **CVE-2026-20182** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate **Cisco Catalyst SD-WAN Controller** by **May 17, 2026**, turning the flaw into a federal remediation priority because it is tied to active abuse. The move puts a concrete deadline on federal response and raises urgency around affected **Cisco SD-WAN** environments. It also reinforces the operational significance of the vulnerability for government networks.

Cisco released **updates** for **CVE-2026-20182**, a **maximum-severity authentication bypass** in **Catalyst SD-WAN Controller/Manager**, after the flaw was **exploited in limited attacks**. The patch applies to affected **on-prem**, **Cloud-Pro**, **Cloud (Managed)**, and **FedRAMP** deployments. Cisco urged customers to install the **latest updates** as soon as possible because **internet-exposed systems** face higher compromise risk.