Threat Intelligence2026-05-156 min read

Cisco SD-WAN Authentication Bypass: CVSS 10.0 and the Sixth Zero-Day of 2026

CVE-2026-20182 is a maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller. CISA added it to KEV with a May 17 federal remediation deadline.

The Vulnerability

On May 14, 2026, CISA added CVE-2026-20182 to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. The vulnerability is a critical authentication bypass in Cisco Catalyst SD-WAN Controller, rated CVSS 10.0. Maximum severity.

This is the sixth SD-WAN zero-day exploited in 2026, and active exploitation has been attributed to UAT-8616, the same threat cluster behind the weaponization of previous SD-WAN vulnerabilities. Federal Civilian Executive Branch (FCEB) agencies were required to remediate by May 17, 2026.

What Makes SD-WAN Auth Bypass Critical

SD-WAN controllers are the management plane for enterprise wide-area networks. An authentication bypass on the controller gives an attacker the ability to reconfigure network routing, redirect traffic, deploy malicious configurations to branch devices, and establish persistent access across the entire WAN fabric.

Unlike a vulnerability in a single endpoint, SD-WAN controller compromise is a network-wide event. The attacker does not need to pivot. They already control the routing plane.

The CWE Mapping

CWE-287 (Improper Authentication): The core issue. The controller accepts unauthenticated management API requests under specific conditions.

CWE-306 (Missing Authentication for Critical Function): Administrative functions accessible without credential validation.

CWE-863 (Incorrect Authorization): Even partially authenticated sessions can escalate to full administrative control.

Broader Context: SD-WAN as Attack Surface

Six SD-WAN zero-days in five months reflects a sustained campaign against network management infrastructure. SD-WAN adoption accelerated during the remote work transition, and many deployments carry technical debt: default credentials, unpatched controllers, management interfaces exposed to the internet.

The pattern matches what CISA has warned about in its Secure by Design guidance: network management planes should be treated as high-value targets with the same security rigor as identity providers.

What Teams Should Do

  1. Patch immediately. Cisco released fixes for all affected versions.
  2. Audit SD-WAN controller access. Management interfaces should not be internet-facing. Network segmentation and MFA for administrative access are baseline controls.
  3. Monitor for configuration drift. Unexpected routing changes, new tunnel configurations, or policy modifications on SD-WAN devices are indicators of compromise.
  4. Review CISA KEV. If your organization runs any network management infrastructure, the KEV catalog is the minimum vulnerability priority list.

How Deva Handles Network Infrastructure

Deva infrastructure scanning preset includes checks for known vulnerable network management platforms in IaC templates (Terraform, CloudFormation). CVE-2026-20182 is flagged when Cisco SD-WAN Controller versions appear in deployment configurations. The CISA KEV integration ensures newly added vulnerabilities are surfaced within hours of catalog updates.

PostShare

Matthew Conrad

Threat research, application security analysis, and defensive engineering insights from the DevSecCode team.

Related Articles

Discussion

Loading comments...