May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Security readout for executives and security teams
Plain-English summary
CVE-2026-20182 is a critical Cisco Catalyst SD-WAN authentication bypass. A remote attacker could access an affected controller as a high-privileged internal user and change SD-WAN fabric configuration. Because CISA lists it in KEV, organizations should treat it as actively exploited and urgent.
Executive priority
Immediate action is warranted. This vulnerability can undermine SD-WAN control-plane trust and allow high-impact network configuration changes. KEV status means remediation should be tracked as an emergency operational risk, not a routine patch.
Technical view
The flaw is CWE-287 improper authentication in SD-WAN peering/control connection handshaking. It affects Cisco Catalyst SD-WAN Controller, Manager, and Validator per the advisory text. CVSS is 10.0. Successful exploitation can provide access to NETCONF and enable manipulation of SD-WAN network configuration.
Likely exposure
Exposure is highest where Cisco Catalyst SD-WAN control-plane components are reachable by untrusted networks or peers. The provided affected-version list is broad for Controller and Manager. Validate exact exposure against Cisco’s advisory and deployed software inventory.
Exploitation context
CISA KEV inclusion supports known active exploitation. The provided sources do not include exploit mechanics, public proof-of-concept details, or observed campaign specifics. Treat suspicious control connections or unexpected configuration changes as high priority.
Researcher notes
The source bundle names affected Controller and Manager versions and describes Validator exposure, but does not provide fixed-version details inline. Avoid assuming unaffected status from product naming changes; Cisco former names include vSmart, vManage, and vBond.
Mitigation direction
Review the Cisco advisory for the fixed software release applicable to each deployed component.
Upgrade affected Cisco Catalyst SD-WAN components using Cisco’s published fix guidance.
Prioritize controllers, managers, and validators that are externally reachable or central to production SD-WAN.
If immediate upgrade is impossible, follow Cisco’s advisory for any supported interim guidance.
Validation and detection
Inventory Cisco Catalyst SD-WAN Controller, Manager, and Validator instances and versions.
Compare installed versions with Cisco’s affected and fixed release guidance.
Use Cisco’s Show Control Connections guidance for system checks.
Review Cisco’s Indicators of Compromise section for suspicious control-plane activity.
Confirm whether the asset falls under CISA KEV remediation requirements.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-287: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
Exploitation: activeAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-287 · source CWE mapping
Improper Authentication
Improper Authentication represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.