virus logo Threat Signal Report

Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability

What is the Attack?

CVE-2026-20182 is a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager deployments, including on-premises and cloud-managed environments. Cisco confirmed active exploitation in the wild.

Attackers can impersonate trusted SD-WAN peers and establish authenticated control connections, ultimately obtaining high-privileged administrative access. Researchers note similarities to the previously exploited CVE-2026-20127 vulnerability, though Cisco states this is a distinct flaw.

The vulnerability allows unauthenticated remote attackers to bypass device authentication and gain administrative privileges on vulnerable systems. CISA added the flaw to the KEV catalog and directed federal agencies to remediate affected systems by May 17, 2026.

What is the recommended Mitigation?

• Impacted platforms include:
Cisco Catalyst SD-WAN Controller (formerly vSmart)
Cisco Catalyst SD-WAN Manager (formerly vManage)
Cisco SD-WAN Cloud deployments
Cisco SD-WAN Government/FedRAMP environments

• Cisco states there are currently no workarounds for this vulnerability. Organizations should:
• Immediately upgrade to fixed Cisco releases
• Audit exposed SD-WAN control infrastructure
• Restrict public exposure of SD-WAN management interfaces
• Review peering and authentication logs
• Open TAC cases if compromise is suspected
• Collect and preserve admin-tech bundles for forensic review

What FortiGuard Coverage is available?

• FortiGuard Antivirus & Behavior Detection: Protects against malicious payloads and post-exploitation activity associated with compromised SD-WAN infrastructure, including suspicious administrative access, abnormal process execution, unauthorized configuration changes, and attacker persistence mechanisms.

• FortiGuard Incident Response: Organizations that suspect exposure or compromise involving vulnerable Cisco Catalyst SD-WAN Controller or SD-WAN Manager instances should engage FortiGuard Incident Response for rapid investigation, compromise assessment, containment, forensic analysis, and remediation.

• FortiGuard Web Filtering: Prevents access to known malicious infrastructure, attacker-controlled domains, and command-and-control servers associated with exploitation campaigns targeting exposed SD-WAN environments.

• FortiGuard Labs Threat Intelligence: FortiGuard Labs continues to monitor active exploitation activity, attacker infrastructure, and evolving tactics associated with CVE-2026-20182 to provide timely protection updates and actionable threat intelligence.

Additional Resources

Cisco Security Advisory


Released Date May 22, 2026
Tags Threat Signal Vulnerability
CVE ID

Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
About FortiGuard Threat Signal

Learn More »