Critical vulnerability CVE-2026-20182 in Cisco Catalyst SD-WAN Controller allows admin access, must be patched by May 17
- CISA added CVE-2026-20182, a critical authentication bypass in Cisco SD-WAN controllers, to its KEV catalog
- The vulnerability allows attackers to gain administrative access to affected systems
- Federal agencies have until May 17, 2026 to remediate the flaw
The US Cybersecurity and Infrastructure Security Agency has added a critical Cisco vulnerability to its Known Exploited Vulnerabilities catalog, giving federal agencies just two days to implement fixes.
CVE-2026-20182 is an authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller systems. CISA classified the flaw as critical and mandated Federal Civilian Executive Branch agencies patch affected systems by May 17, 2026.
The vulnerability allows attackers to bypass authentication mechanisms and gain administrative access to SD-WAN controllers. This level of access could enable attackers to reconfigure network policies, monitor traffic, or pivot to connected network segments.
Cisco SD-WAN controllers manage software-defined wide area network infrastructure, making them high-value targets for threat actors seeking to compromise enterprise networks. The controllers typically have visibility and control over multiple network locations and traffic flows.
CISA’s inclusion of the vulnerability in the KEV catalog indicates the agency has evidence of active exploitation in the wild. The catalog tracks vulnerabilities that pose significant risks to federal networks and critical infrastructure.
The tight remediation timeline reflects the severity of the vulnerability and the potential for widespread exploitation. Federal agencies must now prioritise patching affected Cisco SD-WAN systems within the mandated timeframe.
Why It Matters
SD-WAN controllers represent critical network infrastructure with broad visibility across enterprise environments. A successful exploit could give attackers administrative control over network routing, traffic inspection capabilities, and potential access to connected sites. CISA’s KEV listing indicates active exploitation, meaning this is not a theoretical risk but an immediate operational concern requiring urgent board-level attention and resource allocation.
What To Do Now
- Identify all Cisco Catalyst SD-WAN Controller deployments in your environment immediately
- Apply available security patches from Cisco for CVE-2026-20182 before May 17, 2026
- Monitor CISA’s KEV catalog for additional details and remediation guidance
