**Cisco** is warning that a critical Catalyst SD-WAN Controller authentication bypass flaw, tracked as **CVE-2026-20182**, was actively exploited in zero-day attacks that allowed attackers to gain administrative privileges on compromised devices. **CVE-2026-20182** has a maximum severity of 10.0 and impacts **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager** in on-prem and SD-WAN Cloud deployments. ### Vulnerability Details In an advisory published today, **Cisco** said the issue stems from a peering authentication mechanism that "is not working properly." "This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system," reads the [Cisco CVE-2026-20182 advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW). "A successful exploit could allow the attacker to log in to an affected **Cisco Catalyst SD-WAN Controller** as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric." **Cisco Catalyst SD-WAN** is a software-based networking platform that connects branch offices, data centers, and cloud environments through a centrally managed system. It uses a controller to securely route traffic between sites over encrypted connections. ### Active Exploitation The company says it detected threat actors exploiting the flaw in May, but did not share any details regarding how it was exploited. However, shared indicators of compromise (IOCs) warn admins to check for unauthorized peering events in the SD-WAN Controller logs, which could indicate attempts to register rogue devices within the SD-WAN fabric. By adding a rogue peer, an attacker could insert a malicious device into the SD-WAN environment that appears legitimate. That device could then establish encrypted connections and advertise networks under the attacker's control, potentially allowing them to move deeper into an organization's network. ### Discovery and Relation to Previous Vulnerabilities The flaw was [discovered by **Rapid7**](https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/) while researching a different **Cisco SD-WAN** controller vulnerability, tracked as [**CVE-2026-20127**](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk), which was fixed in February. **CVE-2026-20127** was [also exploited in zero-day attacks](https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/) by a threat actor tracked as "UAT-8616" since 2023 to create rogue peers in organizations. ### Mitigation and Remediation **Cisco** has released security updates to address the vulnerability and says there are no workarounds that fully mitigate the issue. The company also recommends restricting access to SD-WAN management and control-plane interfaces to trusted internal networks or to authorized IP addresses only, and reviewing authentication logs for suspicious login activity. **CISA** has added the **Cisco CVE-2026-20182** flaw to the [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/news-events/alerts/2026/05/14/cisa-adds-one-known-exploited-vulnerability-catalog), ordering federal agencies to patch affected devices by May 17, 2026. ### Indicators of Compromise **Cisco** is urging organizations to review logs from any internet-exposed Catalyst SD-WAN Controller systems for events that may indicate unauthorized access or peering events. The company says that admins should review */var/log/auth.log* for entries showing "Accepted publickey for vmanage-admin" from unknown IP addresses: 2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY] Administrators should compare IP addresses in logs with the configured System IPs listed in the **Cisco Catalyst SD-WAN Manager** web UI, under **WebUI** > **Devices** > **System IP**. If an unknown IP address successfully authenticated, administrators should consider the device to be compromised and open a **Cisco TAC** case. **Cisco** also recommends reviewing SD-WAN Controller logs for unauthorized peering activity, as attackers may attempt to register rogue devices within the SD-WAN fabric. Jul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanagepeer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005 **Cisco** strongly recommends upgrading to a fixed software release, as this is the only way to fully remediate **CVE-2026-20182**.  ## The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)