Patch Time for Cisco SD-WAN Admins as Vendor Drops yet Another Make-Me-Admin Zero-Day
Cisco says the flaw has a severity score of 10 and is being exploited to gain administrative access and register rogue peers.
- On Thursday, Cisco released security updates for CVE-2026-20182, a critical authentication bypass vulnerability with a severity score of 10. The Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to patch by May 17, 2026.
- Researchers at Rapid7 discovered this vulnerability while investigating CVE-2026-20127, a flaw previously exploited by threat actor UAT-8616. The new vulnerability affects the vdaemon service over DTLS, the same component that contained the earlier security issue.
- "This vulnerability exists because the peering authentication mechanism in an affected system is not working properly," Cisco said. Attackers can access the Cisco Catalyst SD-WAN Controller as a high-privileged user and use NETCONF to manipulate network configuration.
- Administrators must upgrade to a fixed software release, as no workarounds fully mitigate the flaw. Organizations should review logs for entries showing "Accepted publickey for vmanage-admin" from unknown IP addresses to identify potential compromise.
- Attackers may attempt to register rogue devices within the SD-WAN fabric to establish encrypted connections and move deeper into networks. These malicious peers could advertise networks under attacker control, necessitating careful monitoring of all unauthorized peering events.
17 Articles
17 Articles
Patch time for Cisco SD-WAN admins as vendor drops yet another make-me-admin zero-day
Cisco admins face emergency patch duty after Switchzilla disclosed a max-severity make-me-admin bug affecting Catalyst SD-WAN Controller and Manager. Switchzilla dropped an advisory for CVE-2026-20182 (10.0) on Thursday, saying that both components, formerly known as vSmart and vManage, were vulnerable in all deployment types, and that fixes were available. The bug allows unauthenticated remote attackers to bypass authentication and gain admin p…
Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks
Cisco is warning that a critical Catalyst SD-WAN Controller authentication bypass flaw, tracked as CVE-2026-20182, was actively exploited in zero-day attacks that allowed attackers to gain administrative privileges on compromised devices. [...]
Cisco patches another actively exploited SD-WAN zero-day (CVE-2026-20182)
Cisco has patched yet another Catalyst SD-WAN Controller authentication bypass vulnerability (CVE-2026-20182) that has been exploited as a zero-day by “a highly sophisticated cyber threat actor”. About CVE-2026-20182 CVE-2026-20182 – affecting both Cisco Catalyst SD-WAN Controller (the “brain” of the Cisco Catalyst SD-WAN solution) and Cisco Catalyst SD-WAN Manager (the management plane for the entire SD-WAN fabric) – stems from a flawed peering…
Global Security Mag OnlineGlobal Security Mag OnlineMultiple vulnerabilities have been discovered in Cisco products. They allow an attacker to cause an increase in privileges, a breach of data confidentiality and a circumvention of security policy. Cisco indicates that the vulnerability CVE-2026-20182 is... See online: https://www.cert.ssi.gouv.fr/avis/C...
Cisco has just released a fix for CVE-2026-20182, a fault noted 10 out of 10 in Catalyst SD-WAN Controller and Manager. An unauthenticated remote attacker gets an internal administrator account on the controllers. CISA ranks the flaw in its KEV catalog and imposes the patch within three days on federal agencies.
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
