Executive Summary
A critical authentication bypass vulnerability (CVE-2026-20182) has been identified in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. The flaw allows an unauthenticated, remote attacker to completely bypass authentication mechanisms and obtain full administrative privileges on affected systems. CISA added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on May 14, 2026, indicating active exploitation in the wild.
Organizations relying on Cisco Catalyst SD-WAN for enterprise-wide networking infrastructure should treat this as a critical emergency and apply vendor patches or mitigations immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-20182 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Affected Products | Cisco Catalyst SD-WAN Controller, Cisco Catalyst SD-WAN Manager |
| CISA KEV Status | Added 2026-05-14 |
| Patch Available | Yes — see Cisco advisory |
Affected Products
| Product | Affected Versions |
|---|---|
| Cisco Catalyst SD-WAN Controller | See Cisco advisory for specific version ranges |
| Cisco Catalyst SD-WAN Manager | See Cisco advisory for specific version ranges |
Administrators should consult the official Cisco Security Advisory for the complete list of affected software versions and fixed releases.
Technical Analysis
Root Cause
The vulnerability exists in the authentication subsystem of Cisco Catalyst SD-WAN Controller and Manager. An attacker can send specially crafted HTTP requests to bypass authentication checks, allowing them to interact with privileged API endpoints or administrative interfaces without valid credentials.
Authentication bypass vulnerabilities of this class typically arise from:
- Missing or incorrect authentication enforcement on specific API routes or endpoints
- Logical flaws in session validation that allow forged or manipulated requests to pass authentication checks
- Improper trust assumptions about incoming requests from specific network paths
Attack Flow
1. Attacker identifies a network-accessible Cisco Catalyst SD-WAN Controller or Manager
2. Attacker sends a crafted HTTP/HTTPS request that bypasses authentication logic
3. The system incorrectly grants the attacker administrative-level access
4. Attacker can now modify SD-WAN policies, configurations, and routing infrastructure
5. Full network visibility and control over enterprise WAN fabric is achievedWhy This Is Especially Dangerous
Cisco Catalyst SD-WAN is deployed as the central controller and policy orchestrator for enterprise wide-area networks. A compromise of the SD-WAN Controller or Manager gives an attacker:
- Full visibility into all WAN traffic flows and routing decisions
- Ability to redirect or intercept traffic across the enterprise network fabric
- Capability to modify security policies that govern remote branch connectivity
- Access to management credentials and API tokens stored in the platform
- Persistent foothold in the network control plane, making detection difficult
Impact Assessment
| Impact Area | Description |
|---|---|
| Full Administrative Takeover | Unauthenticated attacker gains admin-level control |
| Network-Wide Traffic Manipulation | WAN routing policies can be altered to redirect or intercept traffic |
| Configuration Exfiltration | SD-WAN topology, credentials, and keys can be extracted |
| Persistent Access | Attacker can create backdoor admin accounts or API tokens |
| Lateral Movement | Control plane access enables pivoting to connected branches and data centers |
| Service Disruption | Malicious configuration changes can take down critical WAN links |
| Espionage Risk | Nation-state actors can leverage full WAN visibility for intelligence collection |
Immediate Remediation
Step 1: Apply Cisco's Official Patch
Check Cisco's Security Advisory portal for the fixed software version for your specific product and version. Apply the patch immediately following your change management process.
# Verify current software version on Cisco SD-WAN Manager
show version
# Check for available upgrades via Cisco vManage UI:
# Administration > Software Repository > Available VersionsStep 2: Restrict Management Plane Access
If immediate patching is not possible, restrict access to the SD-WAN Controller and Manager management interfaces:
# Cisco SD-WAN vManage ACL — restrict management access to trusted source IPs only
# Apply via vManage > Administration > Manage Users > Access Control
# Example: Allow only specific management network ranges
# Block all other sources from reaching the management UI and APIStep 3: Enable Enhanced Logging and Alerting
# Enable audit logging on vManage (Administration > Audit Log)
# Configure SIEM alerts for:
# - Unexpected admin account creation
# - Unusual API calls to privileged endpoints
# - Configuration changes during off-hours
# - Login events from unexpected source IPsStep 4: Review for Indicators of Compromise
# Review vManage audit logs for unauthorized access
# Administration > Audit Log > Filter by date range since patch window
# Check for unauthorized admin accounts:
# Administration > Manage Users > Users
# Review recent configuration changes:
# Configuration > Network > Change Log
# Check for unexpected API token creation:
# Administration > API Token ManagementDetection Indicators
| Indicator | Description |
|---|---|
| Authentication bypass request patterns in web server logs | Malformed or unusual requests to auth endpoints |
| Unexpected admin account creation | Attacker establishing persistent access |
| Configuration changes from unknown IP addresses | Unauthorized WAN policy modifications |
| New API tokens with elevated privileges | Backdoor access via token-based authentication |
| Unusual SD-WAN policy modifications | Traffic redirection or VPN tunnel manipulation |
| Access to privileged API endpoints without prior login | Direct authentication bypass exploitation |
Post-Remediation Checklist
- Apply Cisco's official patch to all affected SD-WAN Controller and Manager instances
- Audit all administrator accounts — remove any accounts not recognized by your team
- Rotate all API tokens and credentials stored in the SD-WAN platform
- Review SD-WAN configuration changes from the past 30+ days for unauthorized modifications
- Restrict management interface access to known management IP ranges via ACLs
- Enable enhanced audit logging if not already active
- Notify security operations and treat affected systems as potentially compromised until verified
- Review network traffic flows for unexpected routing changes or data exfiltration patterns
- Test and validate WAN configurations are intact after remediation
- Report exploitation to CISA if evidence of active exploitation is found in your environment
CISA KEV Context
CISA's addition of CVE-2026-20182 to the Known Exploited Vulnerabilities catalog on May 14, 2026 means federal agencies are required to remediate this vulnerability within CISA's mandated timeframe. Private sector organizations should treat CISA KEV listings as urgent signals of active, real-world exploitation and prioritize patching accordingly.