Cisco Warns of Critical SD-WAN Flaw Exploited in Zero-Day Attacks
Cisco has warned that a critical Catalyst SD-WAN Controller authentication bypass flaw, tracked as CVE-2026-20182, is being exploited in zero-day attacks, allowing attackers to gain administrative privileges on compromised devices. This flaw has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager in on-prem and SD-WAN Cloud deployments.
Vulnerability Details
The issue stems from a peering authentication mechanism that is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system, allowing them to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account.
Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. Cisco Catalyst SD-WAN is a software-based networking platform that connects branch offices, data centers, and cloud environments through a centrally managed system.
Exploitation and Detection
Cisco detected threat actors exploiting the flaw in May, but did not share any details regarding how it was exploited. However, shared indicators of compromise (IOCs) warn admins to check for unauthorized peering events in the SD-WAN Controller logs, which could indicate attempts to register rogue devices within the SD-WAN fabric.
By adding a rogue peer, an attacker could insert a malicious device into the SD-WAN environment that appears legitimate. That device could then establish encrypted connections and advertise networks under the attacker's control, potentially allowing them to move deeper into an organization's network.
Recommendations and Mitigations
Cisco has released security updates to address the vulnerability and says there are no workarounds that fully mitigate the issue. The company also recommends restricting access to SD-WAN management and control-plane interfaces to trusted internal networks or to authorized IP addresses only, and reviewing authentication logs for suspicious login activity.
CISA has added the Cisco CVE-2026-20182 flaw to the Known Exploited Vulnerabilities Catalog, ordering federal agencies to patch affected devices by May 17, 2026. Cisco is urging organizations to review logs from any internet-exposed Catalyst SD-WAN Controller systems for events that may indicate unauthorized access or peering events.
Indicators of Compromise
Administrators should review /var/log/auth.log for entries showing "Accepted publickey for vmanage-admin" from unknown IP addresses. They should compare IP addresses in logs with the configured System IPs listed in the Cisco Catalyst SD-WAN Manager web UI, under WebUI > Devices > System IP.
If an unknown IP address successfully authenticated, administrators should consider the device to be compromised and open a Cisco TAC case. Cisco also recommends reviewing SD-WAN Controller logs for unauthorized peering activity, as attackers may attempt to register rogue devices within the SD-WAN fabric.
- Review /var/log/auth.log for entries showing "Accepted publickey for vmanage-admin" from unknown IP addresses
- Compare IP addresses in logs with the configured System IPs listed in the Cisco Catalyst SD-WAN Manager web UI
- Review SD-WAN Controller logs for unauthorized peering activity
Cisco strongly recommends upgrading to a fixed software release, as this is the only way to fully remediate CVE-2026-20182.
Source: BleepingComputer