CVE-2026-20182

Published May 14, 2026

Last updated 5 days ago

Exploit knownCVSS critical 10.0

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-20182 is an authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). The flaw resides in the peering authentication mechanism during the control connection handshaking process, which does not function correctly. This allows an unauthenticated, remote attacker to bypass authentication by sending crafted requests to the affected system. A successful exploit enables the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as a high-privileged, non-root user account. From this position, the attacker can access NETCONF, which then allows them to manipulate the network configuration for the entire SD-WAN fabric. This vulnerability has been added to CISA's Known Exploited Vulnerabilities Catalog.

Description
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.  A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Source
psirt@cisco.com
NVD status
Analyzed
Products
catalyst_sd-wan_manager, sd-wan_vsmart_controller

Risk scores

CVSS 3.1

Type
Secondary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
Exploit added on
May 14, 2026
Exploit action due
May 17, 2026
Required action
Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlined in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Weaknesses

psirt@cisco.com
CWE-287

Social media

Hype score
Not currently trending

  1. New critical zero-days & CVEs: OWA Spoofing (CVE-2026-42897), SD-WAN (CVE-2026-20182), and PAN-OS (CVE-2026-0300) actively exploited. Threatens data privacy & integrity in transit. #Cybersecurity #ZeroDay #News

    @YourAnon_irc

    20 May 2026

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Two critical zero-days need your attention today. Unpatched Exchange CVE-2026-42897: exploited via crafted email, no patch yet. Cisco SD-WAN CVE-2026-20182 (CVSS 10.0): max-severity auth bypass, CISA 3-day federal deadline. Both active in the wild now. https://t.co/F0vOZsc5S2 htt

    @OpenVPN

    19 May 2026

    105 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Top 5 Trending CVEs: 1 - CVE-2026-2276 2 - CVE-2026-42945 3 - CVE-2026-20182 4 - CVE-2026-40369 5 - CVE-2026-29205 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    19 May 2026

    140 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🔴 CVE-2026-20182 في Cisco Catalyst SD-WAN Controller تُستغل الآن كـ zero-day من مجموعة UAT-8616. المهاجم يتجاوز المصادقة عبر UDP 12346 ويحقن SSH keys ويعيد كتابة إعدادات SD-WAN بالكامل. CISA أصدرت

    @KasperskyDev

    19 May 2026

    148 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. 【Cisco SD-WAN CVE-2026-20182、KEV入り・管理者権限取得リスク】 Cisco Catalyst SD-WAN Controller/ManagerのCVE-2026-20182がCISA KEVに追加され、CVSS

    @01ra66it

    19 May 2026

    195 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Top 5 Trending CVEs: 1 - CVE-2026-41089 2 - CVE-2023-38606 3 - CVE-2020-17103 4 - CVE-2026-46333 5 - CVE-2026-20182 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    18 May 2026

    159 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. cisco dropped CVE-2026-20182. an unauth bug, CVSS 10.0, exploit available. if you have cisco in your stack, rotate keys and lock down 0.0.0.0/0 access on port 22. #Cisco #exploit #CVE-2026-20182 https://t.co/ylsKtqEBBU

    @trerbbb

    18 May 2026

    84 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Cisco SD-WAN (CVE-2026-20182) and Exchange Server (CVE-2026-42897) are actively exploited in the wild! Discover the top threats you must patch now. #CyberSecurity #InfoSec #VulnerabilityAlert #CVE202620182 #CVE202642897 #Cisco #ExchangeServer #ZeroDay https://t.co/sHCEyUdZVd htt

    @the_yellow_fall

    18 May 2026

    428 Impressions

    1 Retweet

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  9. 20:24 UTC: CVE-2026-20182 disclosed. ‼️CVE-2026-20182: Critical Cisco SD-WAN Auth Bypass Under Active Exploitation 0day Intel: ‼️CVE-2026-20182: Critical Cisco SD-WAN Auth Bypass Under Active Exploitation

    @lyrie_ai

    18 May 2026

    63 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  10. Ciscoが、悪用されている別のSD-WANゼロデイ脆弱性(CVE-2026-20182)に対するパッチを公開 Cisco patches another actively exploited SD-WAN zero-day (CVE-2026-20182) #HelpNetSecurity (May 15) https://t.co/b7X1pMUsJg

    @foxbook

    18 May 2026

    273 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. CVE-2026-20182: Today @rapid7 and Cisco are disclosing CVE-2026-20182, a critical (CVSS 10.0) auth bypass affecting Cisco Catalyst SD-WAN Controller, found by @CryptoCat and I when we were researching CVE-2026-20127 last Feb. An unauth attacker can become the vmanage-admin…

    @lyrie_ai

    18 May 2026

    71 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. 米当局、「Cisco SD-WAN」の脆弱性悪用で緊急対応を要請:Security NEXT https://t.co/AJJoyM3PCs "認証をバイパスできる脆弱性「CVE-2026-20182」が判明。共通脆弱性評価システム「CVSSv3.1」のベーススコアは「10.0」と評価…

    @catnap707

    17 May 2026

    296 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. CVE-2026-20182: 🚨 Rapid7 Labs has discovered an authentication bypass vuln. affecting #Cisco Catalyst SD-WAN Controller (FKA vSmart). CVE-2026-20182 has a Critical CVSSv3.1 score of 10.0 and allows a remote unauth. attacker to perform privileged operations. Read on:…

    @lyrie_ai

    17 May 2026

    58 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  14. Critical exploits (May 16): Exchange (CVE-2026-42897), SD-WAN (CVE-2026-20182) & DNS (CVE-2026-41096) severely threaten data privacy/integrity in transit. NGINX QUIC/SSL flaws deepen risks. #Cybersecurity #Vulnerabilities #News

    @YourAnon_irc

    17 May 2026

    108 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  15. Cisco Catalyst SD-WAN CVE-2026-20182: Critical Auth Bypass https://t.co/1EUGD7L3jB #Cybertrending #Cybernewsdaily #Cybersecurity

    @TheCyberDef

    17 May 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. Cisco Catalyst SD-WAN CVE-2026-20182: Critical Auth Bypass https://t.co/nPkM1b8osh #Cybertrending #Cybernewsdaily #Cybersecurity

    @CyberInsights1

    17 May 2026

    10 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  17. CISO Daily Briefing: Cisco Catalyst SD-WAN CVE-2026-20182 (CVSS 10.0) hits federal patch deadline today — UAT-8616 actively exploiting; OpenClaw 4-CVE chain reaches CVSS 9.6 via unauthenticated sandbox escape; CISA issued its first agentic AI security guidance with 12–18 mont

    @cloudsa

    17 May 2026

    273 Impressions

    0 Retweets

    4 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  18. 🚨 Threat Intel Brief — May 17, 2026 🔴 CRITICAL: Cisco SD-WAN CVE-2026-20182 — patch DUE TODAY 🔴 Palo Alto PAN-OS CVE-2026-0300 — RCE active 🟠 Active: ClearFake, Mirai, Vidar Stealer, QakBot C2 📊 500+ IOCs | 1,592 CISA KEVs tracked #ThreatIntel #Cybersecurit

    @404LABSx

    17 May 2026

    122 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits https://t.co/upQoopAITC

    @PVynckier

    17 May 2026

    94 Impressions

    3 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Intel Report [CRITICAL] - Cisco Talos has disclosed the active exploitation of CVE-2026-20182, a maximum-severity (CVSS 10.0) authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, attributed with high confidence to a... https://t.co/zzXcDcSpev

    @EnigmaGlobalSW

    17 May 2026

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. CVE-2026-20182、認証バイパスで管理者権限を奪取。 Cisco SD-WAN Controllerに緊急パッチ。 ↓詳細はリプライで #脆弱性 https://t.co/UCqs1Wvn8X

    @motch_dev

    17 May 2026

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  22. CVE-2026-20182: CVSS 10.0 Cisco SD-WAN Auth Bypass — Patch Before May 17 https://t.co/R0DGHRoNWR

    @Noskinnyjean

    16 May 2026

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. Cisco Catalyst SD-WAN CVE-2026-20182: Critical Auth Bypass https://t.co/nPkM1b8osh #Cybertrending #Cybernewsdaily #Cybersecurity

    @CyberInsights1

    16 May 2026

    3 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  24. CISA adds critical Cisco SD-WAN vulnerability CVE-2026-20182 to KEV catalog. Agencies must remediate by May 17, 2026. Link: https://t.co/E5BCAkzOrh #Cybersecurity #Cisco #SDWAN #Vulnerability #CISA #KEV #Exploit #Remediation #Agencies #Security #Networking #Routers #Patch #Threat

    @dailytechonx

    16 May 2026

    82 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. Top 5 Trending CVEs: 1 - CVE-2026-44581 2 - CVE-2026-45185 3 - CVE-2026-44578 4 - CVE-2026-20182 5 - CVE-2026-42945 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    16 May 2026

    144 Impressions

    0 Retweets

    0 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  26. CVE-2026-20182: Active Auth Bypass in Cisco Catalyst SD-WAN Controller Enables Admin Takeover https://t.co/f9wo0r8ogn

    @BinaryPh

    16 May 2026

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. Cisco SD-WAN CVE-2026-20182 (CVSS 10) added to CISA KEV—patch by May 17. WP Burst Statistics CVE-2026-8181 mass-exploited. TeamPCP selling 5GB Mistral repos after TanStack hit. Full brief: https://t.co/pMXSVJmVWs #Daily #ThreatIntel #InfoSec

    @ORIntelligence

    15 May 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED) https://t.co/a3197HewW5 Rapid7 Labs has uncovered a critical authentication bypass vulnerability, CVE-2026-20182, affecting Cisco Catalyst SD-WAN Controller (formerly vSmart). This vulne

    @f1tym1

    15 May 2026

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. 🚨 Heads up: CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits Critical CVE / Exploit: The U.S.Cybersecurity and Infrastructure Sec... https://t.co/bpSlI8McRv #CVE #CyberSecurity #Privacy #SecurityAlert

    @MyDooM15

    15 May 2026

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. New critical flaws: Exchange zero-day (CVE-2026-42897) actively exploited, Windows DNS Client RCE (CVE-2026-41096), & Cisco SD-WAN auth bypass (CVE-2026-20182). These threaten data privacy/integrity in transit. Patch NOW! #Cybersecurity #ZeroDay #News

    @YourAnon_irc

    15 May 2026

    84 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. CVE-2026-20182: Cisco Catalyst SD-WAN Auth Bypass Added to CISA KEV https://t.co/5UAMeJnvzF CVE-2026-20182: Cisco Catalyst SD-WAN Auth Bypass Added to CISA KEV Cisco has disclosed CVE-2026-20182, a critical authentication bypass affecting Cisco Catalyst SD-WAN Controller (for

    @f1tym1

    15 May 2026

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. CVE-2026-20182: Critical Authentication Bypass in Cisco SD-WAN Can Grant Admin Access https://t.co/JThWwz14iW A vulnerability affecting Cisco Catalyst SD-WAN Controller has drawn urgent attention after Cisco, Rapid7, and CISA confirmed active exploitation. CVE-2026-20182 is a

    @f1tym1

    15 May 2026

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. Cisco patches another actively exploited SD-WAN zero-day (CVE-2026-20182) https://t.co/lDhaaziYFP Cisco has patched yet another Catalyst SD-WAN Controller authentication bypass vulnerability (CVE-2026-20182) that has been exploited as a zero-day by “a highly sophisticated cybe

    @f1tym1

    15 May 2026

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. 🚨 CVE-2026-20182: Critical Cisco SD-WAN authentication bypass added to CISA KEV after active exploitation. ✅ Action: Upgrade affected Cisco SD-WAN Controller/Manager now. https://t.co/yTnpvNTMRs #Cisco #SDWAN #CVE #CISAKEV #Vulert

    @vulert_official

    15 May 2026

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. Cisco patches another actively exploited SD-WAN zero-day (CVE-2026-20182): Cisco has patched yet another Catalyst SD-WAN Controller authentication bypass vulnerability (CVE-2026-20182) that has been exploited as a zero-day by “a highly sophisticated… https://t.co/WuwLclfs6f

    @shah_sheikh

    15 May 2026

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. CVE-2026-20182: Cisco Catalyst SD-WAN Auth Bypass Added to CISA KEV https://t.co/BuoH94uhpM CVE-2026-20182: Cisco Catalyst SD-WAN Auth Bypass Added to CISA KEV Introduction to Malware Binary Triage (IMBT) Course Looking to level up your skills? Get 10% off using coupon code:

    @f1tym1

    15 May 2026

    62 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. 🔴 Cisco SD-WAN zero-day exploited: CVE-2026-20182 is CVSS 10 auth bypass with admin impact. 🔴 Exchange exploited in wild: CVE-2026-42897 hits on-prem OWA. Verify mitigations. https://t.co/pBWq66uIkZ

    @solomonneas

    15 May 2026

    69 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. 🚨 CVE-2026-20182 on CISA KEV Cisco SD-WAN auth bypass = instant admin access. Zero auth required. Actively exploited. If you're running this and haven't patched, you're already pwned. How many still think "it won't happen to us"? #infosec #CVE

    @OrizonCyber

    15 May 2026

    66 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  39. 🚨 Threat Intel May 15: Cisco SD-WAN CVE-2026-20182 (patch by May 17!), PAN-OS RCE CVE-2026-0300, Linux PrivEsc CVE-2026-31431 due TODAY. Active: ClearFake, NWHStealer, QakBot C2. Canvas breach: 275M+ records. Stay patched! #CyberSecurity #ThreatIntel https://t.co/N3f33pwJSS

    @404LABSx

    15 May 2026

    61 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. CC-4784 - Exploitation of Zero-Day Vulnerability in Cisco Catalyst SD-WAN https://t.co/f46EWojau5 Severity: High CVE-2026-20182 could allow an unauthenticated attacker to bypass authentication and gain administrative privileges CVE-2026-20182 could allow an unauthenticated

    @f1tym1

    15 May 2026

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. Legacy exposure keeps paying off for attackers. CVE-2026-20182 makes Cisco SD-WAN controllers an urgent K… CVE-2026-20182 is a critical Cisco SD-WAN authentication bypass under active exploitation… 🔗 Read → https://t.co/XX9BHqBtR2

    @fynn_JourX

    15 May 2026

    48 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  42. 🛑 CVE-2026-20182 makes Cisco SD-WAN controllers an urgent KEV priority CVE-2026-20182 is a critical Cisco SD-WAN authentication bypass under active exploitation… 🔗 Details → https://t.co/J4zG2ob6D2

    @lucasverdan

    15 May 2026

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. For defenders, cve-2026-20182 makes cisco sd-wan controllers an urgent kev pri… should move fast. CVE-2026-20182 is a critical Cisco SD-WAN authentication bypass under active exploitation… 🔗 Details → https://t.co/lcJlGktBK8

    @SocXAInvaders

    15 May 2026

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. Cisco SD-WAN CVE-2026-20182 actively exploited by UAT-8616. node-ipc npm (3.35M/mo) backdoored — creds exfil via DNS. 18-yr NGINX RCE CVE-2026-42945. CISA ICS x13. .NET EoP. Full brief: https://t.co/OS6nwum7v3 #Daily #ThreatIntel #InfoSec

    @ORIntelligence

    14 May 2026

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor VulnerabilityCVE-2026-20133
  2. A vulnerability in the API user authentication of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain access to an affected system as a user who has the netadmin role. The vulnerability is due to improper authentication for requests that are sent to the API. An attacker could exploit this vulnerability by sending a crafted request to the API of an affected system. A successful exploit could allow the attacker to execute commands with the privileges of the netadmin role. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability. CVE-2026-20129
  3. A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.CVE-2026-20128
  4. Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass VulnerabilityCVE-2026-20127
  5. A vulnerability in Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker with low privileges to gain root privileges on the underlying operating system. This vulnerability is due to an insufficient user authentication mechanism in the REST API. An attacker could exploit this vulnerability by sending a request to the REST API of the affected system. A successful exploit could allow the attacker to gain root privileges on the underlying operating system.CVE-2026-20126

References

Sources include official advisories and independent security research.