Critical Cisco SD-WAN Vulnerability Is Being Exploited

Cisco has disclosed a critical security vulnerability affecting its Catalyst SD-WAN Controller and SD-WAN Manager platforms. The flaw carries the highest possible severity rating and has already been actively exploited in real-world attacks.

The newly disclosed issue comes shortly after Cisco patched another authentication bypass flaw in February. During investigations into that earlier vulnerability, the company identified this additional security weakness.

According to Cisco, the flaw allows unauthenticated remote attackers to bypass authentication controls. This gives them the ability to gain administrative access to affected systems without valid credentials.

The company confirmed limited exploitation of the vulnerability during May 2026. However, Cisco has not shared details about who is behind the attacks or the scale of incidents observed.

Critical Authentication Bypass Threat Targets SD-WAN

Cisco said the vulnerability affects peering authentication between SD-WAN devices. This process is essential for secure communication across enterprise networking environments.

The issue occurs because of improper validation during control connection establishment. Attackers can exploit this weakness by sending specially crafted connection requests to targeted systems.

Once exploited, the attacker can bypass security checks and establish themselves as a trusted peer. This allows unauthorized access to sensitive management functions.

Cisco stated that the flaw impacts both Catalyst SD-WAN Controller and Catalyst SD-WAN Manager deployments. The risk remains regardless of configuration settings, making all vulnerable systems exposed.

How Attackers Can Gain Admin Access

Successful exploitation allows attackers to log in as a privileged internal user. This account has elevated permissions that can be used to control parts of the SD-WAN infrastructure.

Through this access, attackers can reach NETCONF interfaces. NETCONF is used to manage network configurations, giving attackers the ability to modify enterprise networking operations.

This means cybercriminals could alter routing, connectivity, and policy configurations across SD-WAN environments. The impact could disrupt business-critical network operations.

The flaw has been assigned CVE-2026-20182 and received a maximum CVSS severity score of 10.0. This indicates the most severe level of risk in cybersecurity scoring systems.

Read : Why Human Labor Still Beats AI Compute on Cost

Cisco Urges Immediate Security Updates

Cisco has released software updates to fix the vulnerability. Organizations using affected systems are strongly advised to apply patches immediately.

The company emphasized that there are no workarounds available. Updating the software is currently the only effective mitigation against exploitation.

Cisco credited Stephen Fewer and Jonah Burges of Rapid7 for discovering and reporting the flaw.

Given the active exploitation, security teams should prioritize patching affected infrastructure. Immediate remediation is critical to prevent unauthorized access and network compromise.