Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)

Vulnerability
First reported
Last updated
Happening score
H score 60
3 unique sources, 3 articles

Summary

Hide ▲

CVE-2026-20182 is an actively exploited authentication bypass in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, creating a path to administrative privileges and SD-WAN configuration tampering. Cisco said it detected exploitation in May and released security updates to fully remediate the issue. CISA added the flaw to the Known Exploited Vulnerabilities Catalog, setting a May 17, 2026 patch deadline for federal agencies.

Cases

Cisco SD-WAN CVE-2026-20182 Exploitation, Patching, and KEV Response (4) Cisco SD-WAN CVE-2026-20182 Exploitation, Patching, and KEV Response (4) Cisco SD-WAN CVE-2026-20182 Exploitation, Patching, and KEV Response (4)

Related Happenings

Cisco Secure Workload REST API validation/authentication flaw (CVE-2026-20223)

Vulnerability
First: 21.05.2026 15:04 Last: 21.05.2026 15:04 Sources 1

About this happening: **Cisco Secure Workload Cluster Software** was patched for **CVE-2026-20223**, a **critical** REST API flaw that could let attackers gain **Site Admin privileges** and cross tenan...

Open Happening

CISA KEV remediation order for Cisco Catalyst SD-WAN Controller CVE-2026-20182

Public Sector Action
First: 15.05.2026 08:28 Last: 15.05.2026 08:28 Sources 1

How related: The U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026.

About this happening: **CISA** added **CVE-2026-20182** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate **Cisco Catalyst SD-WAN Controller** by **May 17,...

Open Happening

PAN-OS User-ID Authentication Portal mitigation guidance (CVE-2026-0300)

Advisory/Mitigation
First: 06.05.2026 09:14 Last: 06.05.2026 09:14 Sources 1

About this happening: Palo Alto Networks issued **mitigation guidance** for **CVE-2026-0300** after the **PAN-OS User-ID Authentication Portal** flaw was reported **exploited in the wild**, leaving pub...

Open Happening

FIRESTARTER malware on Cisco ASA and FTD devices

Malware Activity
First: 23.04.2026 15:00 Last: 23.04.2026 15:00 Sources 1

About this happening: CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...

Latest development: 24.04.2026 23:34

CISA, NCSC-UK, and Cisco detailed Firestarter persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software, attributing the backdoor to UAT-4356 and linking the activity to ArcaneDoor. The malware modifies CSP_MOUNT_LIST, stores a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, restores itself to /usr/bin/lina_cs, and relaunches after termination or reboot; Cisco recommends reimaging and upgrading to fixed releases, or using a cold restart only if reimaging is not possible.

Open Happening

Cisco Catalyst SD-WAN Manager information disclosure vulnerability (CVE-2026-20133)

Vulnerability
First: 21.04.2026 15:30 Last: 21.04.2026 15:30 Sources 1

About this happening: CISA moved **CVE-2026-20133** in **Cisco Catalyst SD-WAN Manager** into its **KEV Catalog**, signaling **active exploitation** against **unpatched devices** and forcing **FCEB age...

Open Happening

Timeline

  1. 14.05.2026 23:25 1 articles · 13d ago

    Cisco releases a patch for CVE-2026-20182

    Mitigation Patch Update

    Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.

    Show sources
    Open in new tab
  2. 14.05.2026 23:09 3 articles · 13d ago

    Cisco warns on CVE-2026-20182 and response actions

    Initial Disclosure

    Cisco warned that CVE-2026-20182 is a critical authentication bypass in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager that was being actively exploited in zero-day attacks and could grant administrative privileges, access NETCONF, and allow manipulation of SD-WAN network configuration. Cisco said security updates are available and that upgrading to a fixed software release is the only full remediation, while CISA added the flaw to the Known Exploited Vulnerabilities Catalog and ordered federal agencies to patch affected devices by May 17, 2026.

    Show sources
    Open in new tab
  3. 14.05.2026 23:09 3 articles · 13d ago

    Cisco warns on CVE-2026-20182 and response actions

    Initial Disclosure

    Cisco warned that CVE-2026-20182 is a critical authentication bypass in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager that was being actively exploited in zero-day attacks and could grant administrative privileges, access NETCONF, and allow manipulation of SD-WAN network configuration. Cisco said security updates are available and that upgrading to a fixed software release is the only full remediation, while CISA added the flaw to the Known Exploited Vulnerabilities Catalog and ordered federal agencies to patch affected devices by May 17, 2026.

    Show sources
    Open in new tab