CVE-2026-20182: Cisco SD-WAN Active Exploitation
Tenable, Thursday, May 14th, 2026
Critical Cisco SD-WAN vulnerabilities including CVE-2026-20182 are under active exploitation by multiple threat actors.
Cisco Catalyst SD-WAN Controller and Manager contain multiple critical authentication bypass vulnerabilities (CVE-2026-20182, CVE-2026-20127, and others) that are actively being exploited in the wild. The sophisticated threat actor UAT-8616 has been exploiting these vulnerabilities since at least 2023, while 10 additional threat clusters began exploitation after proof-of-concept code became available.
Successful exploitation allows attackers to bypass authentication and gain privileged access to SD-WAN infrastructure, enabling network configuration manipulation, SSH key injection, and other persistence techniques. CISA has mandated remediation by May 17, 2026 under Emergency Directive 26-03, with patches available for all supported Cisco Catalyst SD-WAN releases.