CVE-2026-20182 in Cisco Catalyst SD-WAN Controller: Actively Exploited, Added to CISA KEV

📅 May 16, 2026 🔴 Exploit Risk: 0.206 📊 Intelligence Score: 52/100 📰 7 sources synthesized

TL;DR — Read this first

A critical vulnerability in Cisco Catalyst SD-WAN Controller is being exploited to gain administrative access.
CONFIRMED: This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2026-05-14.
Immediate action required: Patch all affected systems immediately, prioritizing internet-facing controllers.

Intelligence Metadata

First Reported Byportal.auscert.org.au

Outbreak Velocity1089 minutes spread to 4 unique domains

Consensus7 sources across 4 unique domains

CVSS Score10.0 (Reported)

EPSS Score0.01561 (60th percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.2062

Race LabelZERO-DAY RACE

Technical Analysis

CVE-2026-20182 is a vulnerability affecting Cisco Catalyst SD-WAN Controller. While specific technical details of the vulnerability class are not available in the provided intelligence, multiple sources confirm the impact is unauthorized administrative access to the affected device. This suggests a potential authentication bypass or privilege escalation vector. The attack allows a remote, unauthenticated actor to gain full control over the SD-WAN management interface.

There is a discrepancy in the CVSS score provided in the data feed ('None') versus the score reported by AUSCERT ('10.0'). Given the confirmed impact of administrative access and its addition to the CISA KEV, the 10.0 CVSS score is the more credible metric for assessing severity. An attacker with this level of access can manipulate network traffic, disable security policies, and use the controller as an ingress point for lateral movement across the wider network.

Affected Systems

Vendor: Cisco

Affected Versions:

Cisco Catalyst SD-WAN Controller

Exposure: Network management appliance, potentially internet-exposed for remote administration.

Blast Radius: High. Compromise of an SD-WAN controller grants an attacker significant control over an organization's wide area network, including traffic routing, policy enforcement, and visibility.

Intelligence Context

The primary decision driver for this vulnerability is its CONFIRMED status on the CISA KEV catalog as of 2026-05-14. This indicates active, targeted exploitation in the wild. The 'ZERO-DAY RACE' label suggests exploitation began before or concurrently with the public disclosure. While the EPSS score of 0.01561 predicts a low probability of widespread, opportunistic exploitation, the KEV listing is definitive proof that at least one threat actor has operationalized an exploit. For defenders, the KEV status overrides all other predictive metrics and mandates an immediate response. The low vendor risk score (0.04) appears misaligned with the observed threat activity and should be disregarded for prioritization purposes.

Remediation & Defense

Patch immediately. Prioritize all internet-facing instances. If patching is not immediately possible, implement access restrictions and begin threat hunting for signs of compromise.

Patch Status: Available

Patch Version: Not available in provided data. Refer to Cisco security advisory associated with AUSCERT bulletin ESB-2026.5194.

Workarounds:

Not available in provided data. Refer to vendor advisory.
Restrict access to the SD-WAN controller's management interface to a dedicated, trusted management network.

Detection Hints:

Monitor for unexpected or unauthorized administrative logins to the SD-WAN controller.
Audit logs for anomalous configuration changes, new user creation, or modifications to network routing policies.

Source Timeline

portal.auscert.org.au — First reporter
thehackernews.com — Exploitation confirmation reporting
cisa.gov — KEV catalog addition
cert.ssi.gouv.fr — Corroborating advisory

CVE-2026-20182 Cisco SD-WAN KEV Auth-Bypass Actively Exploited