## Cisco Catalyst SD-WAN Controllers Under Active Exploitation — Critical Authentication Bypass Grants Full Admin Control
Cisco has patched a critical authentication bypass vulnerability in its Catalyst SD-WAN Controller and Manager components, with evidence indicating active exploitation in the wild. The flaw, tracked as CVE-2026-20182 and assigned a maximum CVSS score of 10.0, enables remote attackers to bypass authentication mechanisms and gain administrative control over network fabric configurations without requiring credentials.

The vulnerability mirrors a similar critical flaw that threat actors have leveraged since 2023, suggesting a consistent attack vector targeting SD-WAN deployments. Attackers can exploit the bypass to manipulate network peering arrangements, inject unauthorized SSH keys into the vmanage-admin account, and potentially tamper with system logs to conceal their presence. Specific exposure points include UDP port 12346 and TCP port 830, which handle management and orchestration traffic.

Security researchers urge immediate action: organizations must isolate all Catalyst SD-WAN components from public access, restricting connectivity to expected peer systems and networks only. A rapid upgrade to a Cisco-provided fixed version is critical. Administrators should audit logs for unauthorized peering activity, suspicious SSH keys in administrative accounts, and signs of log tampering. The exposure carries significant implications for organizations relying on SD-WAN for distributed network infrastructure, as a successful compromise could enable lateral movement, data interception, or disruption of wide-area network operations.
---
- **Source**: Mastodon:mastodon.social:#infosec
- **Sector**: The Lab
- **Tags**: cisco, sd-wan, authentication-bypass, cve-2026-20182, active-exploitation
- **Credibility**: unverified
- **Published**: 2026-05-15 13:18:38
- **ID**: 83461
- **URL**: https://whisperx.ai/en/intel/83461