LiveActive security incident?Get immediate response
CVE Record

CVE-2026-20182: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.  A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

CriticalCVSS 10Known exploitedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

CVE-2026-20182 is a critical Cisco Catalyst SD-WAN authentication bypass. A remote attacker could access an affected controller as a high-privileged internal user and change SD-WAN fabric configuration. Because CISA lists it in KEV, organizations should treat it as actively exploited and urgent.

Executive priority

Immediate action is warranted. This vulnerability can undermine SD-WAN control-plane trust and allow high-impact network configuration changes. KEV status means remediation should be tracked as an emergency operational risk, not a routine patch.

Technical view

The flaw is CWE-287 improper authentication in SD-WAN peering/control connection handshaking. It affects Cisco Catalyst SD-WAN Controller, Manager, and Validator per the advisory text. CVSS is 10.0. Successful exploitation can provide access to NETCONF and enable manipulation of SD-WAN network configuration.

Likely exposure

Exposure is highest where Cisco Catalyst SD-WAN control-plane components are reachable by untrusted networks or peers. The provided affected-version list is broad for Controller and Manager. Validate exact exposure against Cisco’s advisory and deployed software inventory.

Exploitation context

CISA KEV inclusion supports known active exploitation. The provided sources do not include exploit mechanics, public proof-of-concept details, or observed campaign specifics. Treat suspicious control connections or unexpected configuration changes as high priority.

Researcher notes

The source bundle names affected Controller and Manager versions and describes Validator exposure, but does not provide fixed-version details inline. Avoid assuming unaffected status from product naming changes; Cisco former names include vSmart, vManage, and vBond.

Mitigation direction

  • Review the Cisco advisory for the fixed software release applicable to each deployed component.
  • Upgrade affected Cisco Catalyst SD-WAN components using Cisco’s published fix guidance.
  • Prioritize controllers, managers, and validators that are externally reachable or central to production SD-WAN.
  • If immediate upgrade is impossible, follow Cisco’s advisory for any supported interim guidance.

Validation and detection

  • Inventory Cisco Catalyst SD-WAN Controller, Manager, and Validator instances and versions.
  • Compare installed versions with Cisco’s affected and fixed release guidance.
  • Use Cisco’s Show Control Connections guidance for system checks.
  • Review Cisco’s Indicators of Compromise section for suspicious control-plane activity.
  • Confirm whether the asset falls under CISA KEV remediation requirements.
Prepared
Confidence
high
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-287: Credential and account abuse lookup

Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-20182 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
10 (3.1)
Known Exploited
Yes
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
5Timeline events
1ADP providers
4Source links

CISA KEV status

Status
Known exploited
Source
CISA-ADP
Date added
KEV reference

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: activeAutomatable: yesTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
10CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H3.96cisco

Vulnerability scoring details

Base CVSS 3.1 score

10Critical
CVSS 3.1 vector shape for CVE-2026-20182Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. Added to KEVCISA-ADP

    CISA Known Exploited Vulnerabilities metadata lists this CVE as known exploited.

  3. ADP timelineCISA-ADP

    CVE-2026-20182 added to CISA KEV

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvcother:kev
  • 2026-05-14T00:00:00.000Z: CVE-2026-20182 added to CISA KEV
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
CiscoCisco Catalyst SD-WAN Controller20.6.4, 20.9.2, 20.3.6, 20.7.2, 20.7.1, 20.5.1, 20.6.2, 19.3.0, 20.6.1, 17.2.4, 18.2.0, 18.4.6, 19.1.0, 19.2.4, 19.2.929, 18.3.8, 18.4.303, 18.3.7, 18.4.1, 19.2.097, 19.2.0, 19.2.099, 18.3.6, 20.4.2, 19.0.0, 20.9.1, 20.3.5, 20.3.1, 18.3.5, 20.6.3, 18.4.3, 18.4.4, 18.3.3, 17.2.8, 20.8.1, 19.2.32, 19.2.2, 17.2.5, 18.4.0, 20.4.1.1, 20.1.3, 20.1.2, 17.2.10, 19.2.098, 20.1.1, 17.2.6, 19.2.1, 18.3.4, 20.4.1, 17.2.9, 19.2.31, 19.0.1a, 18.3.0, 17.2.7, 18.4.5, 20.3.4, 20.3.3, 20.4.1.2, 20.3.2, 18.3.1, 20.1.12, 19.2.3, 20.10.1, 20.6.5, 20.3.7, 20.9.3, 20.11.1, 20.6.3.2, 20.4.2.3, 20.3.5.1, 20.3.4.3, 20.9.3.1, 20.6.4.1, 20.3.3.2, 20.6.5.2, 20.3.7.1, 20.11.1.1, 20.10.1.1, 20.6.1.2, 20.1.3.1, 20.9.2.2, 20.6.5.3, 20.6.3.3, 20.3.7.2, 20.6.5.4, 20.9.2.3, 20.9.4, 20.12.1, 20.3.8, 20.6.6, 20.12.2, 20.13.1, 20.9.5, 20.12.3, 20.6.7, 20.9.5.1, 20.14.1, 20.12.3.1, 20.12.4, 20.15.1, 20.9.6, 20.6.8, 20.16.1, 20.9.5.3, 20.12.4.1, 20.15.2, 20.12.5, 20.9.7, 20.15.3, 20.12.5.1, 20.12.5.2, 20.15.4, 20.9.7.1, 20.12.6, 20.9.8, 20.15.4.1, 20.15.4.2, 20.12.5.3, 20.12.6.1, 20.9.8.2, 20.15.5, 20.12.7, 20.9.9, 20.15.5.1, 20.15.4.3, 20.15.4.5, 20.15.5.3, 20.12.7.2, 20.9.9.2unknown
CiscoCisco Catalyst SD-WAN Manager20.1.12, 19.2.1, 18.4.4, 18.4.5, 20.1.1.1, 20.1.1, 19.2.099, 18.3.6, 18.3.7, 19.2.0, 19.1.0, 18.4.303, 19.2.098, 18.3.6.1, 18.2.0, 17.2.8, 18.3.3.1, 18.4.0, 18.3.1, 17.2.6, 17.2.9, 17.2.5, 18.4.0.1, 18.3.3, 18.3.0, 19.2.3, 18.4.501_ES, 20.1.2, 19.2.929, 19.2.31, 20.3.2, 19.2.4, 19.2.4.0.9, 20.1.3.1unknown
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-287 · source CWE mapping

Improper Authentication

Improper Authentication represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.