CISA Orders Emergency Patching for Actively Exploited Cisco SD-WAN Zero-Day
CISA has mandated that all federal agencies patch a critical, actively exploited authentication bypass vulnerability in Cisco Catalyst SD-WAN systems by May 17, 2026.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring all federal agencies to patch a critical authentication bypass vulnerability, CVE-2026-20182, in Cisco Catalyst SD-WAN systems by Sunday, May 17, 2026 The Record. This flaw, which carries a maximum CVSS severity score of 10.0, allows unauthenticated, remote attackers to gain administrative privileges on affected controllers and managers Help Net Security The Hacker News.
The vulnerability resides in the "vdaemon" service, which handles peering authentication over DTLS (UDP port 12346) Help Net Security. By sending crafted requests, an attacker can impersonate a trusted network router, effectively bypassing authentication to perform privileged operations The Record Help Net Security. Once access is achieved, attackers can inject a public key into the vmanage-admin user's authorized SSH keys file, enabling them to log in via the NETCONF service (TCP port 830) and issue arbitrary commands to reconfigure the entire SD-WAN fabric Help Net Security.
Cisco has attributed active exploitation of this zero-day to a sophisticated threat actor identified as UAT-8616 Help Net Security Tenable. This group has been observed performing post-compromise actions such as modifying NETCONF configurations and escalating privileges to root by temporarily downgrading software to exploit an older vulnerability, CVE-2022-20775 Help Net Security The Hacker News. Infrastructure analysis suggests UAT-8616's activity overlaps with Operational Relay Box (ORB) networks, which are frequently associated with state-sponsored espionage operations Help Net Security.
This discovery follows a series of security incidents involving Cisco SD-WAN products earlier this year. Researchers at Rapid7 identified CVE-2026-20182 while investigating a similar authentication bypass flaw, CVE-2026-20127, which was disclosed in February The Record Help Net Security. Since then, at least 10 different threat clusters have been observed exploiting various vulnerabilities in the SD-WAN stack, often leveraging publicly available proof-of-concept code to deploy web shells like "XenShell," Godzilla, and Behinder to execute arbitrary bash commands The Hacker News.
CISA has added CVE-2026-20182 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies not only apply the available patches but also continue to follow the hunt and hardening guidance established in February's emergency directive CISA The Record. Organizations are advised to review logs for unauthorized public key entries for the vmanage-admin account and to upgrade to the latest fixed software releases provided by Cisco Help Net Security.
The persistent targeting of SD-WAN controllers highlights a strategic shift by advanced threat actors toward infrastructure that facilitates long-term persistence and network-wide control. By compromising the "brain" of the SD-WAN fabric, attackers can observe, influence, and pivot across victim networks while remaining difficult to detect The Record. As these systems remain a high-value target for nation-state actors, security teams should prioritize the rapid remediation of these flaws and maintain heightened vigilance for anomalous administrative activity The Record Tenable.