Exploitation of Zero-Day Vulnerability in Cisco Catalyst SD-WAN
CVE-2026-20182 could allow an unauthenticated attacker to bypass authentication and gain administrative privileges
Summary
CVE-2026-20182 could allow an unauthenticated attacker to bypass authentication and gain administrative privileges
Affected platforms
The following platforms are known to be affected:
Threat details
Additional Detail on Affected Products
CVE-2026-20182 affects the following Catalyst SD-WAN deployment types:
- On-Premises Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud - Cisco Managed
- Cisco Hosted SD-WAN Cloud - FedRAMP Environment
The Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes apply:
- Cisco SD-WAN Controllers are now Cisco Catalyst SD-WAN Control Components
- Cisco SD-WAN vAnalytics is now Cisco Catalyst SD-WAN Analytics
- Cisco SD-WAN vBond is now Cisco Catalyst SD-WAN Validator
- Cisco SD-WAN vManage is now Cisco Catalyst SD-WAN Manager
- Cisco SD-WAN vSmart is now Cisco Catalyst SD-WAN Controller
May 2026: New vulnerability CVE-2026-20182
In February 2026, Cisco released a security advisory to address critical vulnerability CVE-2026-20127 and the NHS England National CSOC released high-severity Cyber Alert CC-4748 in response.
In May 2026, Cisco released a security advisory to address a new vulnerability designated CVE-2026-20182, which is addressed in this alert. Although the vulnerabilities are very similar, the remediation actions are different and CVE-2026-20182 is only addressed in newer patches. Affected organisations must review the remediation actions below.
Introduction
Cisco has released a security advisory to address a critical vulnerability in Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Catalyst SD-WAN Manager (formerly SD-WAN vManage). Cisco Catalyst SD-WAN is a software-defined wide area network solution that enables secure, scalable, and flexible connectivity across enterprise networks.
Exploitation of CVE-2026-20182
Cisco has stated it is aware of limited exploitation of CVE-2026-20182 in the wild, and security researchers have released detailed technical write-ups.
Edge devices like Cisco Catalyst SD-WAN are often internet-facing by design and are highly attractive targets to attackers, and there are an increasing number of edge device vulnerabilities disclosed each year that are rapidly exploited by attackers. The NHS England National CSOC assesses it is highly likely vulnerabilities discovered in edge devices will continue to be exploited as zero-day vulnerabilities, or shortly after vendor disclosure.
Organisations are strongly encouraged to follow NCSC-UK's vulnerability management guidance, including patching edge devices as soon as possible if a critical vulnerability is identified.
Vulnerability details
- CVE-2026-20182 is an "improper authentication" vulnerability with a CVSSv3 score of 10. Successful exploitation could allow an unauthenticated, remote attacker to bypass authentication and gain access to a highly privileged, non-root user account. Using this account, the attacker could access NETCONF, allowing the attacker to manipulate the network configuration for the SD-WAN fabric.
Cisco has released another security advisory to address the following vulnerabilities in Catalyst SD-WAN:
- a high severity XML External Entity Injection vulnerability (CVE-2026-20224)
- a medium severity privilege escalation vulnerability (CVE-2026-20209)
- a medium severity privilege escalation vulnerability (CVE-2026-20210)
The above vulnerabilities are not currently exploited. However, all of the vulnerabilities listed above can be remediated in the patches for CVE-2026-20182.
Remediation advice
Affected organisations must review Cisco security advisory cisco-sa-sdwan-rpa2-v69WY2SW and complete the remediation steps detailed below.
Remediation steps
| Type | Step |
|---|---|
| Action |
Strongly Recommended: Perform a Comprehensive Compromise Assessment Organisations are strongly encouraged to follow the steps listed in the "Indicators of Compromise" section of Cisco's Advisory cisco-sa-sdwan-rpa2-v69WY2SW. Note: Organisations are strongly encouraged to complete this step first; or collect all relevant artifacts, including a snapshot of the device and all logs, to support threat hunting after patching. Patching before conducting the compromise assessment or collecting relevant artifacts may delete critical evidence. If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW |
| Patch |
Required: Update to a Fixed Version Organisations must update Catalyst SD-WAN Controller and Catalyst SD-WAN Manager to a fixed version. Applying the patch for CVE-2026-20182 also remediates the other vulnerabilities disclosed by Cisco and mentioned in this Cyber Alert. Organisations are strongly encouraged to use the Cisco Software Checker tool to determine the latest available version for their deployment.
Note: Catalyst SD-WAN releases earlier than 20.9 are end-of-life. Organisations running an end-of-life version must migrate to a supported version and apply the patch to address CVE-2026-20182. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW |
| Guidance |
Strongly Recommended: Hardening Guidance for Cisco Catalyst SD-WAN Organisations are strongly encouraged to follow Cisco's hardening guidance for Catalyst SD-WAN. https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide |
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 15 May 2026 10:50 am