CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits

The U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026.

The vulnerability is a critical authentication bypass tracked as CVE-2026-20182. It's rated 10.0 on the CVSS scoring system, indicating maximum severity.

"Cisco Catalyst SD-WAN Controller and Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system," CISA said.

In a separate advisory, Cisco attributed the active exploitation of CVE-2026-20182 with high confidence to UAT-8616, the same cluster behind the weaponization of CVE-2026-20127 to gain unauthorized access to SD-WAN systems.

"UAT-8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor," Cisco Talos said. "UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges."

CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits

Other newsrooms on this story

Related reading

Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks

Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin…

Maximum Severity Cisco SD-WAN Bug Exploited in the Wild

Emergency Cisco Critical 0Day Update—Attackers Downgrade Security

Patch time for Cisco SD-WAN admins as vendor drops yet another make-me-admin…

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution