Cisco Warns of Critical SD-WAN Flaw Exploited in Zero-Day Attacks

Cisco has identified a critical authentication bypass vulnerability in its Catalyst SD-WAN Controller, designated as CVE-2026-20182, which has been actively exploited in zero-day attacks. This flaw allows attackers to gain administrative privileges on compromised devices, posing significant risks to network security. Detailed information about the affected product is available on Cisco’s official website.

The vulnerability carries a maximum severity score of 10.0 and impacts both on-premises and cloud deployments of Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. The issue arises from a malfunction in the peering authentication mechanism, which fails to properly validate requests. Attackers exploit this by sending specially crafted requests to the affected system.

Successful exploitation grants the attacker access to an internal, high-privileged, non-root user account on the SD-WAN Controller. From this account, the attacker can utilize the NETCONF protocol to manipulate network configurations across the SD-WAN fabric. This capability can lead to unauthorized control over network traffic routing and potentially disrupt or intercept communications between branch offices, data centers, and cloud environments connected by the SD-WAN.

Cisco Catalyst SD-WAN is a software-defined networking platform designed to securely route traffic using encrypted connections. It centrally manages network traffic across multiple sites, making the SD-WAN Controller a critical component in maintaining network integrity and security.

The company detected active exploitation of this flaw in May but has not disclosed specific attack methods. However, Cisco has provided indicators of compromise (IOCs) to help administrators identify potential intrusions. One key sign is unauthorized peering events in SD-WAN Controller logs, which could indicate attempts to register rogue devices within the SD-WAN fabric.

By adding a rogue peer, attackers can insert malicious devices that appear legitimate into the network. These devices can then establish encrypted connections and advertise networks controlled by the attacker, enabling lateral movement deeper into the organization’s infrastructure.

The vulnerability was discovered by security researchers at Rapid7 during an investigation of a related Cisco SD-WAN controller flaw, CVE-2026-20127, which Cisco fixed in February. Similar to CVE-2026-20182, the earlier flaw was exploited in zero-day attacks by a threat actor known as “UAT-8616” to create rogue peers within affected networks.

Cisco has released security updates addressing CVE-2026-20182 and advises that no workarounds fully mitigate the issue. The recommended course of action is to apply the provided patches as soon as possible. Additionally, Cisco suggests restricting access to SD-WAN management and control-plane interfaces to trusted internal networks or specific authorized IP addresses. Reviewing authentication logs for suspicious login attempts is also critical.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20182 to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch affected devices by May 17, 2026. This highlights the urgency for organizations to prioritize remediation efforts.

Indicators of Compromise and Detection

Administrators should closely examine logs from any internet-exposed Catalyst SD-WAN Controller systems for signs of unauthorized access or suspicious peering activity. Cisco recommends reviewing the authentication log file located at /var/log/auth.log for entries indicating successful logins using public key authentication for the user vmanage-admin from unknown IP addresses.

IP addresses recorded in the logs should be cross-checked against the configured System IPs visible in the Cisco Catalyst SD-WAN Manager web interface under WebUI > Devices > System IP. If an IP address not listed in the configuration is found to have authenticated successfully, the device should be considered compromised.

In such cases, Cisco advises opening a Technical Assistance Center (TAC) case promptly to investigate and contain the incident. Additional scrutiny of SD-WAN Controller logs is necessary to detect unauthorized peering events, as attackers may attempt to register rogue devices to maintain persistent access.

Mitigation and Protection Steps

Applying the official Cisco software updates remains the only reliable method to fully resolve the CVE-2026-20182 vulnerability. Organizations should prioritize patch deployment across all affected systems.

Other mitigation strategies include:

• Limiting management and control-plane interface access to trusted internal IP addresses or secure VPN connections.
• Implementing strict network segmentation to reduce the attack surface for SD-WAN infrastructure.
• Regularly monitoring authentication and system logs for anomalies.
• Using multi-factor authentication to enhance access controls where supported.
• Employing endpoint protection solutions to detect and block malicious activity related to network intrusion attempts. Tools like Malwarebytes can help in identifying and removing threats on compromised endpoints.

Given the critical nature of this flaw and active exploitation, organizations using Cisco Catalyst SD-WAN should review their security posture immediately. Prompt action will reduce the risk of attackers gaining unauthorized control and manipulating network traffic within the SD-WAN environment.