Cisco has disclosed a critical authentication bypass vulnerability in its Catalyst SD-WAN Controller and SD-WAN Manager, tracked as CVE-2026-20182, carrying a maximum CVSS score of 10.0 — and it's already being actively exploited in zero-day attacks. The flaw was discovered by Rapid7 while investigating a separate SD-WAN controller vulnerability, CVE-2026-20127, which had itself been exploited in zero-day attacks since 2023 by a threat actor tracked as UAT-8616. CISA has added CVE-2026-20182 to its Known Exploited Vulnerabilities Catalogue, ordering federal agencies to patch by 17 May 2026, according to BleepingComputer.
This isn't a theoretical risk — Cisco confirmed it detected active exploitation in May 2026. The vulnerability sits in the peering authentication mechanism, which, according to Cisco's own advisory, "is not working properly." What that means in practice is that an attacker can send crafted requests to an affected controller, authenticate as an internal high-privileged non-root user account, and then access NETCONF. From there, they can manipulate network configuration across your entire SD-WAN fabric. That's not privilege escalation on a single host. That's control over how traffic flows between your branch offices, data centres, and cloud environments.
The rogue peering angle makes this particularly serious. By successfully registering a rogue device in your SD-WAN fabric, an attacker inserts what appears to be a legitimate peer. That device can establish encrypted connections and advertise networks under the attacker's control. Your monitoring tools may see encrypted SD-WAN traffic and treat it as normal. The attacker now has a foothold that blends into the architecture you've built to protect yourself — and they can use it to move deeper into your organisation. If you want to understand how this kind of access expands your attack surface well beyond the initial entry point, that context matters here.
The connection to CVE-2026-20127 and UAT-8616 is worth keeping in mind. That earlier vulnerability was exploited specifically to create rogue peers, going back to 2023. Rapid7 found CVE-2026-20182 while looking into that same class of problem. You're not dealing with an isolated bug — you're dealing with a threat actor who has demonstrated sustained, specific interest in SD-WAN peering mechanisms as an intrusion pathway. Patching CVE-2026-20182 is urgent, but it doesn't close the chapter on this threat pattern.
The vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager across both on-premises and SD-WAN Cloud deployments. Cisco has not specified which software version ranges are affected beyond these product lines, so you should consult Cisco's advisory directly for version-specific guidance.
Any organisation running internet-exposed Catalyst SD-WAN Controller systems is at elevated risk given active exploitation. The CISA mandate targets federal agencies, but the scope of affected deployments extends to enterprises, financial institutions, and any organisation using Cisco SD-WAN to connect distributed sites. There are no workarounds that fully mitigate the issue — patching is the only real remediation path.
Cisco has published specific log entries to help identify whether your environment has been compromised. Reviewing these should be an immediate priority if you're running any internet-exposed Catalyst SD-WAN Controller. These are the indicators of compromise Cisco has shared.
Suspicious SSH authentication log entry (auth.log): Look for entries in /var/log/auth.log matching the pattern Accepted publickey for vmanage-admin from unrecognised IP addresses. Example format: 2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from [IP] port [PORT] ssh2: RSA SHA256:[KEY]
Unauthorised peering activity (SD-WAN Controller logs): Look for unexpected control connection entries in vSmart logs. Example format: Jul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-c — any continuation of this pattern from an unknown peer should be treated as a compromise indicator.
Unknown System IPs: Cross-reference IP addresses appearing in authentication logs against the configured System IPs listed in Cisco Catalyst SD-WAN Manager under WebUI > Devices > System IP. Any IP that authenticated successfully but doesn't appear in that list indicates a compromised device.
Patch immediately. Cisco has released security updates addressing CVE-2026-20182. There are no workarounds that fully mitigate the vulnerability. Apply the available patches to all affected Cisco Catalyst SD-WAN Controller and SD-WAN Manager instances, both on-premises and cloud-deployed, as a priority.
Audit your authentication logs now. Pull /var/log/auth.log from any internet-exposed Catalyst SD-WAN Controller and search for Accepted publickey for vmanage-admin entries. Compare every source IP against your known, configured System IPs in the SD-WAN Manager web UI. Any unknown IP that successfully authenticated means you should treat that device as compromised and open a Cisco TAC case immediately.
Review SD-WAN Controller logs for rogue peering events. Check vSmart and controller logs for unexpected control connection activity that may indicate an attacker has attempted to register an unauthorised device in your SD-WAN fabric. An unknown peer that has successfully connected could already be advertising routes and intercepting or redirecting traffic.
Restrict access to management and control-plane interfaces. Cisco explicitly recommends limiting access to SD-WAN management and control-plane interfaces to trusted internal networks or specifically authorised IP addresses. If your controllers are currently internet-exposed with no such restriction, that needs to change now, not after patching.
Review CVE-2026-20127 exposure as well. Given that Rapid7 discovered this vulnerability while researching CVE-2026-20127, and that UAT-8616 exploited that earlier flaw to create rogue peers since 2023, confirm your environment was fully remediated following the February fix for CVE-2026-20127. If there's any doubt, treat your SD-WAN fabric as potentially compromised and investigate accordingly.
Yes. Cisco has confirmed that CVE-2026-20182 affects both on-premises and SD-WAN Cloud deployments of the Cisco Catalyst SD-WAN Controller and SD-WAN Manager. If you're running Cisco's managed cloud option rather than on-prem infrastructure, you're still in scope and should confirm patch status with Cisco directly.
They authenticate as a high-privileged internal user, gain access to NETCONF, and can manipulate network configuration across your SD-WAN fabric. More specifically, they can register a rogue device as a legitimate peer, allowing that device to establish encrypted connections and advertise attacker-controlled networks — creating a pathway to move deeper into your environment.
Cisco states there are no workarounds that fully mitigate the issue. The only meaningful interim step is restricting access to SD-WAN management and control-plane interfaces to trusted internal networks or authorised IP addresses only, combined with aggressive monitoring of authentication logs for suspicious activity. That reduces exposure but doesn't eliminate the underlying vulnerability.
UAT-8616 is a threat actor tracked by Cisco that exploited the related vulnerability CVE-2026-20127 to create rogue peers in organisations, with activity dating back to 2023. Rapid7 found CVE-2026-20182 while researching that earlier flaw. The connection suggests deliberate, sustained targeting of Cisco SD-WAN peering mechanisms specifically.
