CISA Adds Cisco SD-WAN Vulnerability CVE-2026-20182 to KEV Catalog
CISA has added the critical authentication bypass vulnerability CVE-2026-20182 in Cisco Catalyst SD-WAN to its Known Exploited Vulnerabilities (KEV) catalog following confirmed active exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, tracked as CVE-2026-20182, to its Known Exploited Vulnerabilities (KEV) catalog. This action follows confirmed reports of active exploitation by multiple threat actors, including a sophisticated group identified as UAT-8616 [Tenable].
The vulnerability, which carries a CVSSv3 score of 10.0, allows unauthenticated attackers to bypass authentication mechanisms and gain unauthorized access to the affected SD-WAN systems [The Hacker News]. Threat actors have been exploiting this flaw since at least 2023, with additional clusters joining the effort after public proof-of-concept code became available [Tenable].
Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability by May 17, 2026. Organizations using Cisco Catalyst SD-WAN should review and adhere to CISA Emergency Directive 26-03 and the associated supplemental hunt and hardening guidance to assess their exposure and mitigate risks.