Find notable cyber news and cases, enriched with sources, timelines, and signals.

CISA KEV remediation order for Cisco Catalyst SD-WAN Controller CVE-2026-20182

Public Sector Action
First reported
Last updated
Happening score
H score 59
1 unique sources, 1 articles

Summary

Hide ▲

CISA added CVE-2026-20182 to the KEV catalog and ordered Federal Civilian Executive Branch agencies to remediate Cisco Catalyst SD-WAN Controller by May 17, 2026, turning the flaw into a federal remediation priority because it is tied to active abuse. The move puts a concrete deadline on federal response and raises urgency around affected Cisco SD-WAN environments. It also reinforces the operational significance of the vulnerability for government networks.

Cases

Related Happenings

CISA adds CVE-2026-20262 to KEV and orders federal fixes

Public Sector Action
H score32 First: 16.06.2026 09:05 Last: 16.06.2026 09:05 Sources 1

About this happening: **CISA** added **CVE-2026-20262** to its **Known Exploited Vulnerabilities (KEV) catalog** and required **Federal Civilian Executive Branch (FCEB)** agencies to apply Cisco's fixe...

CISA KEV update and FCEB remediation deadline

Public Sector Action
H score33 First: 10.06.2026 17:44 Last: 10.06.2026 17:44 Sources 1

About this happening: **CISA** added **three actively exploited vulnerabilities** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate by **June 23, 2026**. Th...

CISA BOD 26-04 prioritizes vulnerability remediation for federal civilian agencies

Public Sector Action
H score27 First: 10.06.2026 15:00 Last: 10.06.2026 15:00 Sources 1

About this happening: **CISA** issued **Binding Operational Directive 26-04** to require **federal civilian agencies** to prioritize vulnerability remediation using **Asset Exposure**, **KEV Status**,...

Cisco Catalyst SD-WAN Manager root privilege escalation flaw (CVE-2026-20245)

Vulnerability
H score60 First: 05.06.2026 09:24 Last: 05.06.2026 09:24 Sources 1

About this happening: **CVE-2026-20245** in **Cisco Catalyst SD-WAN Manager** is an **actively exploited** **high-severity** vulnerability that can let an **authenticated local attacker** with **netadm...

Latest development: 06.06.2026 07:19

Cisco warned that CVE-2026-20245 in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, is under active exploitation and can let an authenticated local attacker with netadmin privileges upload a crafted file to execute arbitrary commands as root. Cisco said the flaw affects On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP), that limited exploitation has already resulted in configuration changes pushed to edge devices, and that no patches or mitigations are currently available. Cisco also advised checking /var/log/scripts.log for indicators of compromise and credited Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan with discovering and reporting the issue.

Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)

Vulnerability
H score60 First: 14.05.2026 23:09 Last: 14.05.2026 23:09 Sources 1

How related: The U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026.

About this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...

Latest development: 14.05.2026 23:25

Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.

Timeline

  1. 15.05.2026 08:28 2 articles · 1mo ago

    CISA adds CVE-2026-20182 to the KEV catalog

    Legal Policy Action Update

    CISA added CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Controller and Manager that can let a remote unauthenticated attacker obtain administrative privileges, to the KEV catalog and required Federal Civilian Executive Branch agencies to remediate the vulnerability by May 17, 2026.

    Show sources
  2. 15.05.2026 08:28 1 articles · 1mo ago

    Cisco attributes active exploitation to UAT-8616

    Attribution Update

    Cisco attributed active exploitation of CVE-2026-20182 with high confidence to UAT-8616, the same cluster linked to CVE-2026-20127, and said the actor attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges after compromise.

    Show sources