Cisco Catalyst SD-WAN Zero-Day CVE-2026-20182: CVSS 10.0 Auth Bypass Actively Exploited — Sixth SD-WAN Flaw Patched in 2026
Cisco has patched CVE-2026-20182, a CVSS 10.0 authentication bypass in Catalyst SD-WAN actively exploited by threat actor UAT-8616. CISA mandated remediation under Emergency Directive 26-03.
Cisco has issued an emergency patch for CVE-2026-20182, a maximum-severity authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager that has been actively exploited in the wild. Rated CVSS 10.0, the flaw is the sixth Cisco SD-WAN vulnerability confirmed exploited in 2026 — a streak that has drawn urgent attention from CISA and the broader enterprise networking community.
What the Vulnerability Does
CVE-2026-20182 stems from a flawed peer authentication mechanism in the vdaemon service, which communicates over DTLS on UDP port 12346. A remote unauthenticated attacker can exploit the flaw to become an authenticated peer of the target appliance — without any valid credentials — and then perform privileged operations, including injecting an attacker-controlled public key into the vmanage-admin user account’s authorized SSH keys file.
This effectively gives the attacker persistent, authenticated SSH access to the compromised SD-WAN controller. Critically, the vulnerability is configuration-independent: vulnerable systems remain exposed regardless of how they are deployed or configured.
Scope and Affected Products
The vulnerability affects both the Cisco Catalyst SD-WAN Controller — the control plane of the Cisco Catalyst SD-WAN solution — and the Cisco Catalyst SD-WAN Manager, which serves as the management plane for the entire SD-WAN fabric. All supported Cisco Catalyst SD-WAN releases were affected prior to the patch.
Rapid7, which discovered the weakness during an analysis of a prior SD-WAN CVE (CVE-2026-20127), shared technical details with Cisco on March 9, 2026. Cisco confirmed active exploitation by a highly sophisticated threat actor before the patch was available.
Active Exploitation: UAT-8616
Cisco Talos has clustered the known exploitation activity under UAT-8616, described as a highly sophisticated cyber threat actor. Talos reports that exploitation has been observed but appears limited in scope so far — however, given the maximum CVSS score and the configuration-independent nature of the flaw, the risk to unpatched systems is significant.
This is the sixth SD-WAN vulnerability exploited in 2026, continuing a pattern that security teams managing distributed enterprise networking infrastructure should treat as a sustained targeting campaign against SD-WAN management infrastructure.
CISA Emergency Directive and Remediation
The US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 26-03 in response to active exploitation, mandating that Federal agencies apply available mitigations by May 17, 2026. Patches are available for all supported Cisco Catalyst SD-WAN releases.
Organizations running Cisco Catalyst SD-WAN should apply the patch immediately, audit authorized SSH keys for the vmanage-admin account, and review DTLS-based peer connections for anomalous activity. Enterprise teams should also consult the Cisco Talos ongoing exploitation blog and the official Cisco Security Advisory for full technical mitigations and indicators of compromise.
The Bigger Picture: SD-WAN Under Sustained Attack
Six exploited SD-WAN vulnerabilities in less than five months of 2026 signals that SD-WAN management infrastructure — which provides privileged access to distributed network fabric — has become a high-value target. Security teams should treat SD-WAN management planes with the same isolation and monitoring posture applied to identity infrastructure and cloud control planes.
Immediate actions: patch, rotate SSH keys, segment the SD-WAN management plane from general corporate traffic, and ensure active monitoring of DTLS traffic on UDP 12346.
