Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks

Cisco is warning that a critical Catalyst SD-WAN Controller authentication bypass flaw, tracked as CVE-2026-20182, was actively exploited in zero-day attacks that allowed attackers to gain administrative privileges on compromised devices.

CVE-2026-20182 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager in on-prem and SD-WAN Cloud deployments.

In an advisory published today, Cisco said the issue stems from a peering authentication mechanism that "is not working properly."

"This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system," reads the Cisco CVE-2026-20182 advisory.

"A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric."

Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks

Other newsrooms on this story

Related reading

Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin…

Other newsrooms on this story

Related reading

Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin…

CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits

Emergency Cisco Critical 0Day Update—Attackers Downgrade Security

Patch time for Cisco SD-WAN admins as vendor drops yet another make-me-admin…

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution

Windows shell spoofing vulnerability puts sensitive data at risk