Vulnerability
Exploitation Wave
Public Sector Action
Security Patch Release
Cisco SD-WAN CVE-2026-20182 Exploitation, Patching, and KEV Response
Updated 15.05.2026 08:28
Case score 63
Score breakdown
- Total
- 63
- Lead score
- 60
- Support bonus
- +3 / 20
- Scoring support
- 1
- Context members
- 2
Top contributors
- Vulnerability Primary exploited vulnerability and management-plane risk anchor. base
- Security Patch Release Vendor remediation scope and the no-workaround conclusion for **CVE-2026-20182**. context
- Public Sector Action KEV listing, federal deadline, and urgency around remediation. context
- Exploitation Wave Earlier confirmed exploitation of other Catalyst SD-WAN flaws adds direct exploitation context and chaining risk on related management components. support
Case score 63
Members 4
Latest activity 15.05.2026 08:28
Active exploitation
KEV: CISA KEV
Patch available
CVSS: 10.0 Critical
Active exploitation
KEV: CISA KEV
Patch available
CVSS: 10.0 Critical
Members 4
First seen 05.03.2026 14:15
Last seen 15.05.2026 08:28
Updated 15.05.2026 08:28
Overview
Active exploitation of **CVE-2026-20182** has put **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager** at risk of unauthenticated high-privilege access and management-plane tampering. Cisco released fixes after detecting exploitation in May and said no workaround fully mitigates the flaw.
The picture sits within a wider **Catalyst SD-WAN** exploitation pattern after Cisco had already confirmed March exploitation of **CVE-2026-20128** and **CVE-2026-20122**, with chaining behavior noted but campaign overlap left unconfirmed. **CISA** has since added **CVE-2026-20182** to the **Known Exploited Vulnerabilities** catalog and set a **May 17, 2026** federal remediation deadline.
Cisco confirmed in March that attackers were actively exploiting **CVE-2026-20128** in the **Data Collection Agent (DCA)** feature of **Catalyst SD-WAN Manager** and **CVE-2026-20122** in the manager API. The company said the attacks appeared to involve chaining with other flaws, raising concern that exposed SD-WAN management infrastructure was already under sustained pressure before **CVE-2026-20182** surfaced. Available evidence does not confirm whether the March exploitation and the later **CVE-2026-20182** activity were part of the same campaign or separate operations.
That later activity centers on **CVE-2026-20182**, a critical **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager** that can let a remote unauthenticated attacker obtain a high-privileged non-root account. Cisco said the flaw stems from an improperly implemented peering authentication mechanism, and successful access can expose **NETCONF** and enable SD-WAN configuration changes. Cisco said it detected exploitation in May and urged defenders to review unauthorized peering events and suspicious authentication activity, especially on internet-reachable deployments.
Cisco released security updates for affected deployments and said upgrading to a fixed release is the only full remediation because no workaround fully mitigates **CVE-2026-20182**. **CISA** added **CVE-2026-20182** to the **Known Exploited Vulnerabilities** catalog and ordered **Federal Civilian Executive Branch** agencies to remediate by **May 17, 2026**. Available material associates the activity with **UAT-8616**, but public reporting has not quantified affected organizations or confirmed downstream victim outcomes.