External risk intelligence

Attackers can gain admin control of Cisco SD-WAN systems

CVE advisoryKnown Exploit

CVE-2026-20182

An unauthenticated attacker can bypass security controls on Cisco Catalyst SD-WAN systems to gain administrative privileges and alter network configurations. This advisory warrants immediate attention due to potential for broad network control compromise.

3Halo Surface Signal

Authentication Bypass

Cisco Catalyst Sd Wan Manager

before 20.9.9.120.10 to before 20.12.5.420.12.6 to before 20.12.6.220.13 to before 20.15.4.420.15.5 to before 20.15.5.220.16 to before 20.18.2.226.1 to before 26.1.1.120.12.7

External exposure likelihood

Halo Surface Signal score for CVE-2026-20182

The affected components function as centralized management infrastructure for SD-WAN fabrics. While they require network reachability to manage remote devices, they are typically deployed within internal data centers or protected VPCs with restricted access. Although some deployments may be internet-accessible, they are not designed as public-facing services like web gateways.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in Cisco Catalyst SD-WAN products allows an unauthenticated remote attacker to bypass authentication and gain administrative control. This means an attacker could potentially take over your network management system without needing any credentials, leading to significant disruption.

Control over network configuration is at risk.
An attacker could compromise the entire SD-WAN fabric.
This issue requires immediate attention due to its severity.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending crafted requests to the Cisco Catalyst SD-WAN Controller or Manager to bypass authentication. This would grant them administrative privileges, allowing them to access NETCONF and manipulate the SD-WAN fabric configuration remotely.

Requires network access to the device.
Exploits the peering authentication mechanism.
Bypasses login to gain high privileges.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation by threat actors. Given its critical severity and the ability to bypass authentication for administrative control and network manipulation, attackers are highly motivated to weaponize it. The rapid inclusion in KEV suggests a current and significant threat.

Listed on CISA KEV.
Allows administrative privilege escalation.
Remote, unauthenticated exploitation.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching or updating Cisco Catalyst SD-WAN Controller and Manager systems immediately due to active exploitation and critical severity. If patching is delayed, isolate affected devices from the network and monitor for suspicious activity related to unauthorized configuration changes. Review logs for any signs of successful authentication bypass or NETCONF access.

Apply Cisco security updates.
Isolate vulnerable systems.
Monitor for unauthorized access.

Frequently asked questions

What is CVE-2026-20182 and which Cisco products are affected?

CVE-2026-20182 is a critical vulnerability affecting Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). It allows an unauthenticated, remote attacker to bypass authentication and gain administrative privileges.

How can an attacker exploit CVE-2026-20182?

An attacker can exploit this vulnerability by sending specially crafted requests to the affected Cisco systems. This exploits a flaw in the peering authentication mechanism, allowing the attacker to bypass the normal login process and obtain administrative control.

What are the potential consequences of this vulnerability being exploited?

Successful exploitation allows an attacker to gain administrative privileges on an affected system. This could lead to unauthorized access to NETCONF, enabling them to manipulate the configuration of the entire SD-WAN fabric, potentially causing significant network disruption.

Why is CVE-2026-20182 considered a high-priority threat?

This vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating that threat actors are actively exploiting it. Its critical severity, coupled with the ease of remote, unauthenticated exploitation for gaining administrative control, makes it a significant and immediate threat.

What steps should be taken to address CVE-2026-20182?

It is crucial to apply Cisco security updates to affected Cisco Catalyst SD-WAN Controller and Manager systems as soon as possible. If immediate patching is not feasible, isolate the vulnerable devices from the network and closely monitor for any suspicious activity, particularly unauthorized configuration changes or NETCONF access.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.