Cisco has issued a critical alert regarding a newly discovered authentication bypass vulnerability (CVE-2026-20182) in its Catalyst SD-WAN Controller and Manager platforms. This flaw allows remote attackers to gain administrative access, posing a serious security risk, as it is being actively exploited in the wild. Organizations using these Cisco products are urged to address the issue immediately, as there are no available workarounds.
This discovery follows an earlier vulnerability that was patched in February and was identified while investigating that earlier issue. Cisco confirmed that the bug permits unauthenticated remote attackers to bypass authentication processes and obtain administrative privileges.
The vulnerability stems from insufficient validation during the authentication of control connections between SD-WAN devices. Attackers can exploit this by sending specially crafted requests to a targeted system, effectively gaining the same privileges as an internal user. The exploitation can lead to unauthorized access to configurations, enabling attackers to manipulate network settings.
Identified as a zero-day vulnerability, it received a maximum severity rating of CVSS 10.0. Cisco has quickly rolled out patches for affected systems and has advised all users to upgrade to the latest software versions to mitigate risk. The Cybersecurity and Infrastructure Security Agency (CISA) has included this flaw in its catalog of known exploited vulnerabilities, urging federal agencies to patch systems immediately.
Along with the technical fixes, Cisco has provided operational guidance to assist organizations in identifying any malicious control connections. Users are encouraged to review their control peering relationships and verify all connected peers, especially those linked to SD-WAN Manager systems.
These revelations underscore the urgency of cybersecurity vigilance, especially as the threat landscape continues to evolve. For further technical updates and fixes, organizations can refer to the official Cisco advisory.
