8 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-20182 is a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager.
The vulnerability is caused by improper authentication handling within SD-WAN management and controller infrastructure. An unauthenticated remote attacker may exploit the flaw by sending crafted requests to affected systems.
Successful exploitation may allow attackers to gain unauthorized access to SD-WAN infrastructure, execute administrative actions, manipulate network orchestration functions, and potentially compromise enterprise-wide WAN management operations.
Cisco confirmed limited exploitation of this vulnerability, and it has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
Identifier: CVE-2026-20182
CVSS Score: 10.0 (Critical, CVSS v3.1)
PoC or Exploitation:
Cisco confirmed limited exploitation of this vulnerability. The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. There are currently no validated public proof-of-concept exploit code.
Update/ Patch:
Update/ Patch:
Cisco has released software updates to address this vulnerability.
Affected products include:
Cisco Catalyst SD-WAN Controller
Cisco Catalyst SD-WAN Manager
Affected deployment types include:
On-Prem Deployment
Cisco SD-WAN Cloud-Pro
Cisco SD-WAN Cloud (Cisco Managed)
Cisco SD-WAN for Government (FedRAMP)
Affected and fixed releases include:
Earlier than 20.9
Migrate to a fixed release
20.9
Fixed in 20.9.9.1
20.10
Fixed in 20.12.7.1
20.11
Fixed in 20.12.7.1
20.12
Fixed in 20.12.5.4
Fixed in 20.12.6.2
Fixed in 20.12.7.1
20.13
Fixed in 20.15.5.2
20.14
Fixed in 20.15.5.2
20.15
Fixed in 20.15.4.4
Fixed in 20.15.5.2
20.16
Fixed in 20.18.2.2
20.18
Fixed in 20.18.2.2
26.1
Fixed in 26.1.1.1
Cisco advisory and patch guidance:
Description:
CVE-2026-20182 is an authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager.
The vulnerability is caused by improper authentication handling within the SD-WAN management and controller infrastructure. An unauthenticated remote attacker may exploit the vulnerability by sending crafted requests to the affected system.
Successful exploitation may allow attackers to gain unauthorized access to vulnerable SD-WAN infrastructure, execute administrative actions, manipulate network orchestration functions, and potentially compromise enterprise-wide WAN management operations.
Mitigation Recommendation:
Immediately upgrade affected Cisco Catalyst SD-WAN deployments to the fixed software releases provided by Cisco.
Prioritize remediation for internet-facing and externally accessible SD-WAN management infrastructure.
Migrate unsupported or end-of-maintenance releases to supported software trains as recommended by Cisco.
Restrict management interface exposure to trusted administrative networks only.
Monitor systems for suspicious authentication activity, unauthorized configuration changes, anomalous API activity, or unexpected administrative actions.
Conduct threat hunting and forensic review on exposed SD-WAN infrastructure, especially where exposure existed prior to patching.
