CVE-2026-20182: Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass (Active Exploitation, ED 26-03)

Updated May 15, 2026. NVD has completed its analysis and confirmed the CVSS v3.1 10.0 Critical score. EPSS scoring is now available, placing the CVE at the 82nd percentile (1.56% probability). Cisco Talos has attributed the in-the-wild exploitation to the threat actor UAT-8616, and Rapid7 has announced a Metasploit module scheduled for public release on May 27, 2026.

What Is CVE-2026-20182?

CVE-2026-20182 is an authentication bypass in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller, formerly known as vSmart, and Cisco Catalyst SD-WAN Manager, formerly known as vManage. An unauthenticated remote attacker can send crafted requests to the affected system and log in as an internal, high-privileged, non-root account. From that account the attacker reaches NETCONF, which exposes the configuration surface of the entire SD-WAN fabric.

The flaw lives in the control-connection handshaking path. It is distinct from the February 2026 disclosure that covered the same product family (CVE-2026-20127), but it was discovered and fixed in the same code area while Cisco was addressing the original. Cisco’s advisory text is explicit: “This new advisory is for a new vulnerability in the control connection handshaking.” Defenders who treated the February patch as the end of the story now have a second bug in the same daemon to address.

The weakness is classified as CWE-287: Improper Authentication. Cisco’s PSIRT became aware of limited exploitation in May 2026, and CISA added the CVE to the Known Exploited Vulnerabilities catalog on May 14, 2026, the day Cisco published the advisory. The same day, CISA issued Emergency Directive ED 26-03, binding federal civilian agencies to a specific identify, patch, and hunt-for-compromise workflow on in-scope Cisco SD-WAN systems.

How Serious Is It?

CVSS Score

Cisco PSIRT (the CNA) and NVD both score CVE-2026-20182 at 10.0 Critical on CVSS v3.1 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. There is no disagreement between the CNA and NVD on this one. The vector decomposes to a worst-case profile for a network-management plane:

• Attack Vector: Network. The exploit travels over the SD-WAN control plane interface.
• Attack Complexity: Low. No precondition, no race window, no pre-existing credential.
• Privileges Required: None. The attacker is unauthenticated at the start of the exploit.
• User Interaction: None. No phishing, no operator action.
• Scope: Changed. The compromise of the controller propagates to the managed fabric: any device the controller can reconfigure is inside the blast radius.
• Confidentiality, Integrity, Availability impact: High. Administrative access to NETCONF lets the attacker read, change, and disrupt the SD-WAN configuration.

NVD’s exploitability sub-score is 3.9 (the maximum) and the impact sub-score is 6.0. NVD has now completed its analysis and confirmed the 10.0 Critical score, so the CNA and NVD values agree at the top of the scale with no caveat pending.

Exploitation Probability

EPSS now scores CVE-2026-20182 at 1.56% probability, 82nd percentile. The raw 1.56 percent is EPSS’s estimate of in-the-wild exploitation within the next 30 days; the percentile says this CVE ranks higher than 82 percent of all scored CVEs. The percentile matters more than the raw number here. For a vulnerability that is already KEV-listed with confirmed exploitation and a named threat actor, EPSS is confirmation, not new information, and it will likely climb as scanning activity and the announced Metasploit module’s release date approach. Treat the SSVC active status and the KEV deadline as the operative signals; EPSS is the corroborating one.

Active Exploitation

CVE-2026-20182 is in the CISA Known Exploited Vulnerabilities catalog, added on May 14, 2026 with a remediation deadline of May 17, 2026. The KEV entry, titled “Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability”, describes the same primitive Cisco’s advisory does: an unauthenticated remote attacker bypasses authentication and obtains administrative privileges on the affected system.

SSVC assessment from the CISA ADP enrichment:

• Exploitation: active (confirmed in-the-wild)
• Automatable: yes (the exploit primitive can be scripted at scale)
• Technical Impact: total (administrative access to NETCONF)

Cisco’s PSIRT note is direct: “In May 2026, the Cisco Product Security Incident Response Team (PSIRT) became aware of limited exploitation of this vulnerability. Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.”

Cisco Talos has since attributed the activity, with high confidence, to UAT-8616, a threat actor it has tracked targeting critical infrastructure since around 2023. Talos describes a hands-on-keyboard tradecraft chain rather than opportunistic scanning: bypass authentication via this CVE, downgrade to root, inject an SSH key, manipulate configuration over NETCONF, create rogue accounts, and clear logs to cover the intrusion. The activity is still characterized as targeted and limited, not mass exploitation, but “limited” here means a capable actor selecting victims, which raises rather than lowers the urgency for any organization running an exposed controller.

A standalone public proof-of-concept for CVE-2026-20182 has not been published on GitHub, ExploitDB, or Packet Storm at the time of writing. Rapid7, which discovered the vulnerability, has announced a Metasploit module named cisco_sdwan_vhub_auth_bypass with a scheduled public release date of May 27, 2026. The module automates the full chain: authentication bypass, SSH public-key injection into the vmanage-admin authorized_keys file, then NETCONF access over TCP/830. Treat May 27 as a hard deadline for getting exposed controllers patched; the gap between “limited targeted exploitation” and “commodity Metasploit module” closes on that date.

Who Is Affected?

The advisory covers two products in the Cisco Catalyst SD-WAN family:

• Cisco Catalyst SD-WAN Controller, the route-and-policy plane formerly sold as vSmart.
• Cisco Catalyst SD-WAN Manager, the orchestration plane formerly sold as vManage.

The MITRE CNA record enumerates more than thirty individual point releases of Cisco Catalyst SD-WAN Manager across the 17.x, 18.x, 19.x, and 20.x branches as affected, including 17.2.x, 18.2.x, 18.3.x, 18.4.x, 19.1.x, 19.2.x, 20.1.x, and 20.3.x point releases. The CISA KEV entry adds the umbrella “Catalyst SD-WAN” product designation. The Cisco advisory’s Fixed Software table is the authoritative source for the per-branch upgrade target; pull the exact strings from the vendor advisory before scheduling a maintenance window.

What Should You Do?

Patches and Updates

Upgrade to the Fixed Software release listed for your branch in Cisco’s advisory cisco-sa-sdwan-rpa2-v69WY2SW. The advisory’s Fixed Software section enumerates the target build per supported train; CISA’s KEV deadline of May 17, 2026 applies to in-scope federal agencies and is a useful baseline for everyone else.

If you already patched against the February 2026 advisory (cisco-sa-sdwan-rpa-EHchtZk, covering CVE-2026-20127), do not assume you are covered for this one. The vulnerable code path is distinct, the Fixed Software builds are different, and the May 14 advisory specifically states the new bug was discovered after the February disclosure shipped.

Workarounds

No workarounds are available. Cisco’s advisory does not publish an interim mitigation; the published remediation is to upgrade to a Fixed Software release. CISA’s Emergency Directive ED 26-03 covers the operational containment path for federal agencies that cannot patch immediately, including hardening guidance for the SD-WAN management network and steps for hunting compromise pending the upgrade.

Detection and Visibility

Three questions to answer in the first hour:

1. Which Catalyst SD-WAN Controller and SD-WAN Manager instances exist in your environment, and which software train is each one on.
2. Which of them is reachable from any untrusted network path, including a third-party-managed transport or a partner peering.
3. Whether any of them already shows the compromise indicators from CISA’s Hunt and Hardening Guidance.

CISA’s supplemental directive lists concrete indicators to hunt for. The authoritative IoC is unexpected entries of the form Accepted publickey for vmanage-admin in the controller’s /var/log/auth.log, sourced from IP addresses that are not listed in the device’s configured System IP table. Cross-reference each accepted-publickey event against the legitimate peer list. Inspect the ~vmanage-admin/.ssh/authorized_keys file for SSH keys you did not place there: an attacker who chained through CVE-2026-20182 leaves persistence by writing their own public key into that file. Audit show control connections output for unrecognized peer IP addresses, unexpected peering times, and device types inconsistent with the fabric’s architecture. Watch NETCONF activity on TCP/830 originating from the vmanage-admin account for connections from source IPs outside the expected administrative range.

The first question, “where do my Catalyst SD-WAN Controllers and Managers actually live,” is the slowest one for most teams. SD-WAN fabrics are deployed across regions, run by network teams whose inventory may or may not flow back to the security team’s CMDB, and frequently span on-prem and cloud-hosted controller VMs. An asset inventory that pulls from your vulnerability scanner, your cloud provider accounts, and your network management plane gives you a single answer instead of three different ones. Koopic connects to those tools and surfaces, in minutes, exactly which controllers and managers are on an affected build and where they sit.

Timeline

References

• Cisco Security Advisory: cisco-sa-sdwan-rpa2-v69WY2SW
• NVD: CVE-2026-20182
• MITRE: CVE-2026-20182
• CISA KEV: CVE-2026-20182
• Cisco Talos: UAT-8616 Targeting Cisco SD-WAN
• Rapid7: Critical Authentication Bypass in Cisco Catalyst SD-WAN Controller (CVE-2026-20182)
• CISA Emergency Directive ED 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems
• CISA Supplemental Direction: Hunt and Hardening Guidance for Cisco SD-WAN Systems
• Cisco Predecessor Advisory: cisco-sa-sdwan-rpa-EHchtZk (CVE-2026-20127)
• CWE-287: Improper Authentication