Cisco has announced a critical authentication bypass vulnerability in its Catalyst SD-WAN Controller, which has been actively exploited in limited attacks. This flaw, designated as CVE-2026-20182, has been assigned a maximum CVSS score of 10.0.
The vulnerability arises from a failure in the peering authentication mechanism within the Catalyst SD-WAN Controller, previously known as SD-WAN vSmart, and the Catalyst SD-WAN Manager, formerly SD-WAN vManage. Cisco has indicated that this issue could allow an unauthenticated remote attacker to bypass authentication and gain administrative access to affected systems.
Details of the Vulnerability
According to Cisco, an attacker could exploit this vulnerability by sending specially crafted requests to the system. If successful, the attacker could log in as a high-privileged, non-root user, enabling them to access NETCONF and manipulate network configurations for the SD-WAN fabric.
Affected Deployments
The vulnerability impacts several deployment types, including:
- On-Prem Deployment
- Cisco SD-WAN Cloud-Pro
- Cisco SD-WAN Cloud (Cisco Managed)
- Cisco SD-WAN for Government (FedRAMP)
Related Vulnerabilities
Rapid7, which discovered CVE-2026-20182, noted that it shares similarities with another critical authentication bypass vulnerability, CVE-2026-20127, which also affects the same components and has been exploited by a threat actor since at least 2023. However, the new vulnerability is not a patch bypass of the previous one; it is a distinct issue within the same service.
Recommendations and Mitigations
Cisco has reported that it became aware of limited exploitation of this vulnerability in May 2026. The company urges customers to apply the latest updates promptly. Systems that are accessible over the internet and have exposed ports are at a heightened risk of compromise.
Customers are advised to audit their /var/log/auth.log files for any entries related to accepted public keys for the vmanage-admin account from unknown or unauthorized IP addresses. Additionally, they should monitor for suspicious peering events in their logs, particularly those involving unauthorized peer connections from unrecognized IP addresses.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
