Cisco is warning that a critical Catalyst SD-WAN Controller authentication bypass flaw, tracked as CVE-2026-20182, was actively exploited in zero-day attacks that allowed attackers to gain administrative privileges on compromised devices.
CVE-2026-20182 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager in on-prem and SD-WAN Cloud deployments.
In an advisory published today, Cisco said the issue stems from a peering authentication mechanism that “is not working properly.”
“This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system,” reads the Cisco CVE-2026-20182 advisory.
“A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”
Cisco Catalyst SD-WAN is a software-based networking platform that connects branch offices, data centers, and cloud environments through a centrally managed system. It uses a controller to securely route traffic between sites over encrypted connections.
The company says it detected threat actors exploiting the flaw in May, but did not share any details regarding how it was exploited.
However, shared indicators of compromise (IOCs) warn admins to check for unauthorized peering events in the SD-WAN Controller logs, which could indicate attempts to register rogue devices within the SD-WAN fabric.
By adding a rogue peer, an attacker could insert a malicious device into the SD-WAN environment that appears legitimate. That device could then establish encrypted connections and advertise networks under the attacker’s control, potentially allowing them to move deeper into an organization’s network.
The flaw was discovered by Rapid7 while researching a different Cisco SD-WAN controller vulnerability, tracked as CVE-2026-20127, which was fixed in February.
CVE-2026-20127 was also exploited in zero-day attacks by a threat actor tracked as “UAT-8616” since 2023 to create rogue peers in organizations.
Cisco has released security updates to address the vulnerability and says there are no workarounds that fully mitigate the issue.
The company also recommends restricting access to SD-WAN management and control-plane interfaces to trusted internal networks or to authorized IP addresses only, and reviewing authentication logs for suspicious login activity.
CISA has added the Cisco CVE-2026-20182 flaw to the Known Exploited Vulnerabilities Catalog, ordering federal agencies to patch affected devices by May 17, 2026.
Indicators of compromise
Cisco is urging organizations to review logs from any internet-exposed Catalyst SD-WAN Controller systems for events that may indicate unauthorized access or peering events.
The company says that admins should review /var/log/auth.log for entries showing “Accepted publickey for vmanage-admin” from unknown IP addresses:
2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY]
Administrators should compare IP addresses in logs with the configured System IPs listed in the Cisco Catalyst SD-WAN Manager web UI, under WebUI > Devices > System IP.
If an unknown IP address successfully authenticated, administrators should consider the device to be compromised and open a Cisco TAC case.
Cisco also recommends reviewing SD-WAN Controller logs for unauthorized peering activity, as attackers may attempt to register rogue devices within the SD-WAN fabric.
Jul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanagepeer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005
Cisco strongly recommends upgrading to a fixed software release, as this is the only way to fully remediate CVE-2026-20182.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
