{"id":8170,"date":"2026-05-15T11:43:23","date_gmt":"2026-05-15T11:43:23","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8170"},"modified":"2026-05-15T11:43:23","modified_gmt":"2026-05-15T11:43:23","slug":"cisco-warns-of-an-actively-exploited-sd-wan-flaw-with-max-severity","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8170","title":{"rendered":"Cisco warns of an actively exploited SD-WAN flaw with max severity"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Cisco has disclosed a max-severity authentication bypass vulnerability affecting its Catalyst SD-WAN Controller and Catalyst SD-WAN Manager platforms, warning that the flaw has already been found to be exploited in the wild.<\/p>\n<p>The disclosure follows an earlier authentication bypass <a href=\"https:\/\/www.csoonline.com\/article\/4137562\/five-eyes-issue-emergency-directive-on-exploited-cisco-sd-wan-zero-day.html\" target=\"_blank\" rel=\"noopener\">vulnerability<\/a> that Cisco patched in February. In the latest advisory, the company said the new flaw was identified while investigating the previously disclosed issue.<\/p>\n<p>\u201cA vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system,\u201d Cisco said in an <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-sdwan-rpa2-v69WY2SW#vp\" target=\"_blank\" rel=\"noopener\">advisory.<\/a><\/p>\n<p>The company also confirmed that it became aware of \u201climited exploitation\u201d of the flaw in May 2026. However, it did not disclose details about the attack or threat actors involved.<\/p>\n<p>The <a href=\"https:\/\/www.csoonline.com\/article\/4155155\/the-zero-day-timeline-just-collapsed-heres-what-security-leaders-do-next.html\" target=\"_blank\" rel=\"noopener\">zero-day<\/a> flaw is now fixed with software updates, and organizations are advised to apply fixes immediately, as there are no workarounds that address this bug.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Attackers craft a connection for admin access<\/h2>\n<p>According to Cisco, the vulnerability stems from improper validation during the authentication process used to establish control connections between SD-WAN devices. It said an attacker could exploit the issue remotely by sending crafted control connection requests to a targeted system.<\/p>\n<p>Successful exploitation would allow the attacker to bypass authentication, establish themselves as trusted peers, and obtain administrative privileges to the affected device.<\/p>\n<p>\u201cA successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-<em>root<\/em> user account,\u201d Cisco said. \u201cUsing this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.\u201d<\/p>\n<p>The issue, tracked as <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2026-20182\" target=\"_blank\" rel=\"noopener\">CVE-2026-20182<\/a>, received a max-severity rating of CVSS 10.0. The company said that the issue is configuration-independent, meaning vulnerable systems remain exposed regardless of deployment-specific settings.<\/p>\n<p>Cisco credited Stephen Fewer, Senior Principal Security Researcher, and Jonah Burgess, Senior Security Researcher, both of Rapid7, for discovering and reporting the bug.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Active exploitation kicks patching into high gear<\/h2>\n<p>Cisco disclosed being aware of exploitation attempts in May, urging customers to upgrade to a fixed release immediately.<\/p>\n<p>Shortly after the disclosure, the flaw was <a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\">added <\/a>to the Cybersecurity and Infrastructure Security Agency\u2019s (CISA) known exploited vulnerabilities catalog (KEV). \u201cAdhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available,\u201d it said.<\/p>\n<p>The US cybersecurity watchdog has given federal executive agencies until May 17th to patch the flaw.<\/p>\n<p>\u201cCustomers are advised to upgrade to an appropriate fixed software release,\u201d Fewer and Burgess said in a <a href=\"https:\/\/www.rapid7.com\/blog\/post\/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed\/\" target=\"_blank\" rel=\"noopener\">blog post<\/a>, citing fixed software releases that address the flaw in versions 20.9 through 26.1.1. \u201cThere are no workarounds that address this vulnerability.\u201d<\/p>\n<p>Alongside software fixes, Cisco published operational guidance to help organizations identify potentially malicious control connections.<\/p>\n<p>The advisory instructed admins to review existing control peering relationships, using the \u201cshow control connections\u201d command, and validate all connected peers, particularly those associated with SD-WAN Manager systems.<\/p>\n<p>Organizations that suspect compromise are being advised to contact Cisco Technical Assistance Center support and collect diagnostic information from affected devices.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Cisco has disclosed a max-severity authentication bypass vulnerability affecting its Catalyst SD-WAN Controller and Catalyst SD-WAN Manager platforms, warning that the flaw has already been found to be exploited in the wild. The disclosure follows an earlier authentication bypass vulnerability that Cisco patched in February. In the latest advisory, the company said the new flaw [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8171,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8170","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8170"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8170"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8170\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8171"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8170"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}