Critical CVSS 10.0 Zero-Day in Cisco SD-WAN Actively Exploited — Patch Now

A critical CVSS 10.0 zero-day vulnerability in Cisco’s Catalyst SD-WAN products is being actively exploited, allowing unauthenticated attackers to gain full control of network infrastructure. CISA has added it to its Known Exploited Vulnerabilities catalogue with an urgent remediation deadline.

What Is CVE-2026-20182?

CVE-2026-20182 is a critical authentication bypass vulnerability in Cisco’s Catalyst SD-WAN Controller and Catalyst SD-WAN Manager. It carries the maximum possible CVSS score of 10.0, reflecting the combination of network accessibility, no authentication required, low attack complexity, and the potential for complete loss of confidentiality, integrity, and availability.

The vulnerability was discovered by researchers at Rapid7 and has been confirmed as actively exploited in the wild since May 2026.

How the Vulnerability Works

The flaw exists in the peering mechanism used by Cisco SD-WAN components to communicate with each other. An unauthenticated attacker with network access to the management plane can exploit this mechanism to register a rogue peer device. Once a malicious device is registered as a trusted peer, the attacker gains the ability to:

• Intercept and manipulate network traffic flowing through the SD-WAN fabric
• Exfiltrate sensitive data traversing the network
• Modify routing and policy configurations across all connected sites
• Pivot to other systems within the internal network
• Disrupt business-critical WAN connectivity

The authentication bypass means that standard network segmentation and firewall rules protecting the management plane are insufficient if the SD-WAN peering ports are reachable by an attacker.

Which Products Are Affected?

The vulnerability affects:

• Cisco Catalyst SD-WAN Controller — multiple versions
• Cisco Catalyst SD-WAN Manager (formerly vManage) — multiple versions

Cisco has released patched versions. Organisations should consult Cisco’s official security advisory for the specific version matrix and upgrade paths applicable to their deployment.

Active Exploitation and CISA Response

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20182 to its Known Exploited Vulnerabilities (KEV) catalogue, with a remediation deadline of 17 May 2026. Federal agencies in the United States are required to patch within this timeframe; for private sector organisations globally, inclusion in the KEV catalogue is a strong signal of active, ongoing exploitation by real-world threat actors.

Immediate Actions Required

If your organisation uses Cisco Catalyst SD-WAN, the priority actions are:

1. Patch immediately — Apply Cisco’s security updates for the Catalyst SD-WAN Controller and Manager without delay. This is a CVSS 10.0 vulnerability under active exploitation with no workaround that replaces patching.
2. Restrict management plane access — Ensure that SD-WAN management and peering interfaces are not accessible from untrusted networks. Apply strict firewall rules and network segmentation around these ports.
3. Audit peer device registrations — Review the list of registered peer devices in your SD-WAN fabric for any unauthorised entries that may indicate compromise has already occurred.
4. Enable logging and monitoring — Increase logging verbosity on SD-WAN controllers and integrate with your SIEM for anomaly detection around peering events and configuration changes.
5. Invoke incident response — If you have any indication of exploitation, treat this as a potential full network compromise and engage your incident response process immediately.

The Threat to UK Businesses

SD-WAN technology is widely deployed in UK businesses with multiple offices or remote sites, often serving as the backbone of WAN connectivity. A compromised SD-WAN controller gives attackers a privileged position within the network with visibility across all connected sites, making this vulnerability particularly dangerous for organisations where network integrity is business-critical.

BIT Tech IT Solutions provides network infrastructure management and cybersecurity services for businesses across the UK. If you use Cisco SD-WAN and need assistance assessing your exposure or applying patches urgently, contact our team.