Skip to content
Tech News
← Back to articles

Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks

2026-05-14 | original
read original get Cisco SD-WAN Security Kit → more articles
Why This Matters

Cisco's critical SD-WAN Controller vulnerability (CVE-2026-20182) has been actively exploited in zero-day attacks, allowing attackers to gain high-privileged access and manipulate network configurations. This highlights the urgent need for organizations to patch affected systems and monitor for suspicious activity to prevent potential network breaches. The flaw underscores the importance of robust authentication mechanisms in network security infrastructure.

Key Takeaways

Cisco is warning that a critical Catalyst SD-WAN Controller authentication bypass flaw, tracked as CVE-2026-20182, was actively exploited in zero-day attacks that allowed attackers to gain administrative privileges on compromised devices.

CVE-2026-20182 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager in on-prem and SD-WAN Cloud deployments.

In an advisory published today, Cisco said the issue stems from a peering authentication mechanism that "is not working properly."

"This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system," reads the Cisco CVE-2026-20182 advisory.

"A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric."

Cisco Catalyst SD-WAN is a software-based networking platform that connects branch offices, data centers, and cloud environments through a centrally managed system. It uses a controller to securely route traffic between sites over encrypted connections.

The company says it detected threat actors exploiting the flaw in May, but did not share any details regarding how it was exploited.

However, shared indicators of compromise (IOCs) warn admins to check for unauthorized peering events in the SD-WAN Controller logs, which could indicate attempts to register rogue devices within the SD-WAN fabric.

By adding a rogue peer, an attacker could insert a malicious device into the SD-WAN environment that appears legitimate. That device could then establish encrypted connections and advertise networks under the attacker's control, potentially allowing them to move deeper into an organization's network.

The flaw was discovered by Rapid7 while researching a different Cisco SD-WAN controller vulnerability, tracked as CVE-2026-20127, which was fixed in February.

... continue reading

Explore topics: cisco catalyst sd-wan cve-2026-20182 netconf zero-day
Related:
Cisco posts best day since 2011 on strong AI demand, CEO says tech is entering a 'networking supercycle'
Maximum Severity Cisco SD-WAN Bug Exploited in the Wild
Agent authorization is broken — and authentication passing makes it worse
Zero-day exploit completely defeats default Windows 11 BitLocker protections
Cisco CEO says tech is entering a 'networking supercycle' as stock pops 13% on strong AI demand

© 2026 GoKawiil

About | Editorial Policy | Contact