The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly identified security issue affecting Cisco Catalyst SD-WAN to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2026-20182, carries a maximum severity score of 10.0, highlighting its critical impact.
This vulnerability impacts the control connection and authentication mechanisms used for establishing trust between devices in Cisco Catalyst SD-WAN, specifically within the Controller (vSmart) and Manager (vManage) components. Cisco has already released updates to address the issue.
The weakness stems from improper validation within the authentication process, enabling a remote attacker without any prior authentication to send specially crafted requests that bypass security controls. By exploiting this flaw, an attacker can gain administrative-level access, assume a high-privileged internal account, interact with the NETCONF interface, and ultimately alter network configurations across the SD-WAN environment.
Cisco’s advisory explains that the flaw exists because the system’s peer authentication process does not function correctly. As a result, an attacker can effectively impersonate a trusted device within the SD-WAN fabric. Once access is achieved, the attacker can log in as a privileged internal user and manipulate the network using NETCONF, allowing widespread control over managed infrastructure.
Cisco’s Product Security Incident Response Team (PSIRT) confirmed that limited real-world exploitation of this vulnerability was observed as of May 2026. The company has strongly urged customers to update affected systems to patched versions as soon as possible.
Security researchers at Rapid7 noted similarities between CVE-2026-20182 and another previously exploited flaw, CVE-2026-20127, which also involved an authentication bypass in Cisco’s SD-WAN “vdaemon” service operating over DTLS on UDP port 12346. While the newly discovered issue is not a bypass of the earlier patch, it affects a similar portion of the networking stack and results in comparable risks.
According to Rapid7, the vulnerability allows a remote attacker to masquerade as a legitimate peer device. This enables the attacker to perform privileged operations, such as inserting malicious SSH keys into the authorized keys file of a high-privileged account (e.g., vmanage-admin). After doing so, the attacker can access the NETCONF service over SSH (TCP port 830) and execute arbitrary commands, effectively taking control of the system.
Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to remediate vulnerabilities listed in the KEV catalog within specified deadlines to reduce exposure to active threats.
CISA has set a deadline of May 17, 2026, for federal agencies to address this vulnerability. In addition, private-sector organizations are strongly encouraged to review the KEV catalog and prioritize remediation of any listed vulnerabilities within their own environments to reduce risk.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
