CVE-2026-20182
Description
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
3- sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SWnvdVendor Advisory
- sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZknvdNot Applicable
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource
News mentions
41- Cisco Vulnerability Exploited Months Before Disclosure, Google WarnsInfosecurity Magazine · Jun 25, 2026
- Cisco SD-WAN Zero-Day Exploited Months Before PatchingSecurityWeek · Jun 25, 2026
- Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root AccessThe Hacker News · Jun 25, 2026
- Mandiant reveals how Cisco SD-WAN zero-day attacks gained root accessBleepingComputer · Jun 24, 2026
- Attackers Hit Cisco SD-WAN Flaw 2 Months Before DisclosureDark Reading · Jun 24, 2026
- Malicious hackers exploit Cisco zero-day for highest access level at communications service providerCyberScoop · Jun 24, 2026
- Hackers Exploiting Cisco Catalyst SD-WAN Manager 0-Day Flaw to Gain Root-Level AccessCyber Security News · Jun 24, 2026
- Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN ManagerMandiant Threat Intelligence · Jun 24, 2026
- Cisco discloses second exploited SD-WAN vulnerability in two weeks (CVE-2026-20262)Help Net Security · Jun 16, 2026
- Cisco Patches Another SD-WAN Zero-Day Exploited in AttacksSecurityWeek · Jun 16, 2026
- Cisco Releases Security Updates for Actively Exploited SD-WAN Manager FlawThe Hacker News · Jun 16, 2026
- Cisco fixes SD-WAN vManage flaw exploited in zero-day attacksBleepingComputer · Jun 15, 2026
- Cisco customers encounter another SD-WAN zero-day under attackCyberScoop · Jun 9, 2026
- Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch AvailableThe Hacker News · Jun 6, 2026
- Yet another Cisco SD-WAN 0-day under attack, and no patch in sightThe Register Security · Jun 5, 2026
- Cisco SD-WAN 0-day exploited, no patch available (CVE-2026-20245)Help Net Security · Jun 5, 2026
- Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root UserCyber Security News · Jun 5, 2026
- Cisco warns of unpatched SD-WAN zero-day exploited in attacksBleepingComputer · Jun 5, 2026
- Cisco Warns of 7th SD-WAN Zero-Day Exploited in 2026SecurityWeek · Jun 5, 2026
- Metasploit Wrap Up 05/22/2026Rapid7 Blog · May 22, 2026
- Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data AccessThe Hacker News · May 22, 2026
- Max severity Cisco Secure Workload flaw gives Site Admin privilegesBleepingComputer · May 21, 2026
- Risky Business #838 -- GitHub investigates possible breachRisky Business · May 20, 2026
- New Cisco SD-WAN Zero-Day Grants Admin AccessGovInfoSecurity · May 19, 2026
- 18th May – Threat Intelligence ReportCheck Point Research · May 18, 2026
- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026
- Week in review: Cisco patches SD-WAN 0-day, unpatched Microsoft Exchange Server flaw exploitedHelp Net Security · May 17, 2026
- Cisco zero-day under ongoing attack by persistent threat groupCyberScoop · May 15, 2026
- CISA orders all federal agencies to patch exploited bug in Cisco SD-WAN systems by SundayThe Record · May 15, 2026
- Cisco patches another actively exploited SD-WAN zero-day (CVE-2026-20182)Help Net Security · May 15, 2026
- Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026SecurityWeek · May 15, 2026
- CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access ExploitsThe Hacker News · May 15, 2026
- Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)Tenable Blog · May 15, 2026
- Maximum Severity Cisco SD-WAN Bug Exploited in the WildDark Reading · May 14, 2026
- Cisco warns of new critical SD-WAN flaw exploited in zero-day attacksBleepingComputer · May 14, 2026
- Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin AccessThe Hacker News · May 14, 2026
- Cisco CVE-2026-20182 Added to CISA KEV Under Active ExploitationVypr Intelligence · May 14, 2026
- Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilitiesCisco Talos Intelligence · May 14, 2026
- CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED)Rapid7 Blog · May 14, 2026
- The Dark Side of Efficiency: When Network Controllers Become "God Mode" for AttackersRapid7 Blog · May 14, 2026
- CISA Adds One Known Exploited Vulnerability to CatalogCISA Alerts