CVE-2026-20182 in Cisco Catalyst SD-WAN Controller: Actively Exploited Zero-Day Authentication Bypass

📅 May 15, 2026 🔴 Exploit Risk: 0.200 📊 Intelligence Score: 72/100 📰 2 sources synthesized

TL;DR — Read this first

An authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller allows unauthenticated, remote attackers to gain administrator access.
CONFIRMED exploitation in the wild. This vulnerability was added to the CISA KEV (Known Exploited Vulnerabilities) catalog on 2026-05-14.
Immediate action is required. All internet-facing instances should be patched immediately.

Intelligence Metadata

First Reported Bythehackernews.com

Outbreak Velocity85 minutes spread to 2 unique domains

Consensus2 sources across 2 unique domains

CVSS ScoreNot available

EPSS ScoreNot available

CISA KEV StatusConfirmed

Exploit Risk Score0.200

Race LabelZERO-DAY RACE

Technical Analysis

CVE-2026-20182 is an authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller. According to REPORTED information, the flaw permits a remote, unauthenticated attacker to gain administrative privileges on a vulnerable system. The exact technical mechanism of the bypass has not been detailed in the initial reports. The attack vector allows for a complete compromise of the SD-WAN controller, which serves as a central management point for the wide area network fabric. Successful exploitation grants the attacker the same permissions as a legitimate administrator, enabling subsequent actions such as traffic manipulation, lateral movement, and deployment of further malware into the managed network.

Affected Systems

Vendor: Cisco

Affected Versions:

Cisco Catalyst SD-WAN Controller

Exposure: Publicly facing management interfaces.

Blast Radius: High. Compromise of the SD-WAN controller can lead to loss of confidentiality, integrity, and availability for the entire network fabric it manages. Attackers can control routing, intercept traffic, and access connected internal networks.

Intelligence Context

The primary driver for immediate action is the CONFIRMED exploitation in the wild, evidenced by its addition to the CISA KEV catalog on 2026-05-14. The 'ZERO-DAY RACE' label indicates that threat actors were exploiting this vulnerability before or concurrently with the public disclosure and patch availability. While CVSS and EPSS scores are not yet available, the KEV status is the most critical prioritization metric for defenders. The low calculated Exploit Risk Score (0.200) is an artifact of the missing CVSS/EPSS data and should be disregarded; the real-world risk is high due to active, ongoing attacks.

Remediation & Defense

Patch immediately. Prioritize all publicly-accessible Cisco Catalyst SD-WAN Controller instances. This is a CISA KEV-listed vulnerability under active exploitation.

Patch Status: Available

Patch Version: Refer to Cisco Security Advisory for specific patched versions.

Workarounds:

Not available. Patching is the only specified mitigation.

Detection Hints:

Monitor Cisco Catalyst SD-WAN Controller logs for unexpected or anomalous administrative login events.
Audit for unauthorized configuration changes, new user accounts with administrative privileges, or modifications to network routing policies.
Investigate any access to the management interface from untrusted or unusual IP addresses.

Source Timeline

thehackernews.com — First reporter
bleepingcomputer.com — Corroborating source
cisa.gov/kev — Official KEV record

CVE-2026-20182 cisco exploit_wild kev zero-day auth-bypass sd-wan