TP-EXP-2026-0286 CVE-2026-20182 critical Patched AI Draft

Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability (CVE-2026-20182)

CVE CVE-2026-20182 Platform Cisco Catalyst SD-WAN Controller and Manager Type Authentication Bypass
Severity CRITICAL
Status Patched
Zero-Day Confirmed
Disclosed May 14, 2026
Patched May 14, 2026
CISA KEV Listed

Severity Assessment

  • Exploitability: 10/10
  • Impact: 10/10
  • Weaponization Risk: 9.0/10
  • Patch Urgency: 10/10
  • Detection Coverage: 3.5/10

Summary

CVE-2026-20182 is a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). The vulnerability exists because peering authentication is not working properly in control connection handshaking. An unauthenticated remote attacker can send crafted requests that satisfy the authentication check, bypassing authentication and obtaining administrative privileges on an affected system.

Successful exploitation logs the attacker in to the SD-WAN Controller as an internal, high-privileged, non-root account. That account can access NETCONF and manipulate network configuration for the SD-WAN fabric, creating control-plane risk across the SD-WAN overlay.

The NVD CVSS 3.1 base score is 10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), reflecting no authentication requirement, no user interaction, and full confidentiality, integrity, and availability impact with a changed scope. The vulnerability is classified CWE-287 (Improper Authentication). Cisco released software updates and confirmed there are no workarounds. Cisco PSIRT became aware of limited exploitation in May 2026 and has strongly recommended upgrading to a fixed release. The Cisco advisory identifies this as a new vulnerability in control connection handshaking, discovered in the course of work following an earlier February 2026 SD-WAN disclosure.

CISA added CVE-2026-20182 to the Known Exploited Vulnerabilities catalog on 2026-05-14 with a required remediation due date of 2026-05-17. CISA simultaneously issued Supplemental Direction ED 26-03, directing Federal Civilian Executive Branch agencies to identify, update, and assess potential compromises to in-scope Cisco SD-WAN systems. Required action includes following CISA ED 26-03 Hunt and Hardening Guidance; agencies subject to BOD 22-01 for cloud services must adhere to applicable guidance or discontinue use if mitigations are unavailable. CISA records the known ransomware campaign use status for this vulnerability as Unknown.

Exploit Chain

Stage 1: Network Access to Control or Management Interface

The attacker obtains network access to a Cisco Catalyst SD-WAN Controller or SD-WAN Manager endpoint. Both products operate as network-facing control-plane components. The vulnerability is reachable from the network without prior authentication or any elevated privileges.

Stage 2: Send Crafted Requests Exploiting Defective Peering Authentication

The attacker sends crafted requests targeting the control connection handshaking process. Because peering authentication is not working properly, the handshake does not correctly verify the identity of the connecting party. The crafted requests satisfy the authentication check without valid credentials.

Stage 3: Obtain High-Privileged Account Session

Successful exploitation results in the attacker being logged in to the SD-WAN Controller as an internal, high-privileged, non-root account. This account is not intended to be reachable through the standard management interface under normal circumstances.

Stage 4: NETCONF Access and SD-WAN Fabric Manipulation

With the obtained account, the attacker can access NETCONF on the SD-WAN Controller and issue configuration commands against the SD-WAN fabric. This enables manipulation of network configuration and control-plane settings, potentially affecting the SD-WAN overlay network.

Detection Guidance

The following steps are drawn from Cisco advisory cisco-sa-sdwan-rpa2-v69WY2SW and CISA Supplemental Direction ED 26-03.

  1. Inspect /var/log/auth.log on affected SD-WAN Controller and Manager hosts for entries of the form Accepted publickey for vmanage-admin from <IP> where the source IP is not a recognized or authorized management host.
  2. Run show control connections detail and show control connections-history detail on SD-WAN Controller instances and look for entries showing no challenge-ack, which Cisco identifies as a potential compromise indicator.
  3. Review control connection peering events and validate all listed peers against the authorized SD-WAN peer inventory; flag connections from peers not previously enrolled or not recognized as organizational assets.
  4. Audit SSH access to control-plane assets: check authorized_keys files for unauthorized entries and review SSH session logs for access from unexpected source addresses.
  5. Review all accounts with access to control-plane assets and identify any accounts created or modified without a corresponding authorized change record.
  6. Alert on anomalous successful authentication events and peering events that do not correspond to authorized maintenance windows or known peer addresses.
  7. Enforce an allowlist of known SD-WAN peers and prevent connections from untrusted devices; isolate the management interface from untrusted network segments.
  8. If compromise is suspected, open a Cisco TAC case with the CVE-ID in the title, as directed by the Cisco advisory.
  9. Follow the full CISA ED 26-03 Hunt and Hardening Guidance. If root-level compromise is identified on a control-plane component, deploy fresh vManage, vSmart, and vBond instances from patched OVA or QCOW2 images rather than attempting in-place remediation of a compromised host.

Indicators of Compromise

Log indicators (from Cisco advisory cisco-sa-sdwan-rpa2-v69WY2SW):

  • Entries in /var/log/auth.log matching Accepted publickey for vmanage-admin from <IP> where the source IP is not an authorized management host
  • Output of show control connections-history detail containing no challenge-ack for one or more connections
  • Unexpected or unrecognized peers visible in show control connections detail

Configuration and account indicators (from CISA ED 26-03 supplemental guidance):

  • Unauthorized SSH public keys in authorized_keys files on SD-WAN control-plane hosts
  • Accounts with access to the control plane that do not correspond to authorized personnel or recognized service accounts
  • vEdge peers enrolled in controller state that were not explicitly provisioned or are no longer recognized as valid organizational assets

Network indicators:

  • Control-plane connections originating from IP addresses outside the authorized SD-WAN peer address space
  • Management-interface traffic from addresses not included in the authorized management allowlist
  • NETCONF configuration change events that do not correspond to authorized change activity or recognized administrative sessions

Disclosure Timeline

2026-05-14

Cisco published security advisory cisco-sa-sdwan-rpa2-v69WY2SW (Cisco Bug ID CSCwt50498), disclosing CVE-2026-20182 and releasing fixed software. The advisory identifies the vulnerability as a new flaw in control connection handshaking discovered in the course of work following an earlier February 2026 SD-WAN disclosure. Affected products are Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. Fixed releases include 20.9.9.1; 20.12.5.4, 20.12.6.2, and 20.12.7.1; 20.15.4.4 and 20.15.5.2; 20.18.2.2; and 26.1.1.1; customers on earlier or unsupported trains must migrate to a fixed release. Cisco confirmed there are no workarounds and noted awareness of limited exploitation in May 2026. The NVD record for CVE-2026-20182 was published on the same date. CISA added CVE-2026-20182 to the Known Exploited Vulnerabilities catalog with a required action due date of 2026-05-17, citing active exploitation. CISA simultaneously issued Supplemental Direction ED 26-03, directing Federal Civilian Executive Branch agencies to identify, update, and assess potential compromise of in-scope Cisco SD-WAN systems, and published Hunt and Hardening Guidance for Cisco SD-WAN infrastructure.

2026-05-15

The National Vulnerability Database completed initial analysis of CVE-2026-20182, recording the CVSS 3.1 base score of 10.0 CRITICAL and CWE-287 (Improper Authentication) classification.

2026-05-17

CISA KEV required action due date for Federal Civilian Executive Branch agencies to remediate CVE-2026-20182.

Sources & References

ciscosd-wanauthentication-bypasscwe-287cisa-kevnetwork-infrastructureed-26-03netconf