CVE-2026-20182
A CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Manager and Controller, exploited by UAT-8616; CISA KEV added 14 May 2026 with Emergency Directive ED 26-03.
Last refreshed: 20 May 2026 · Appears in 1 active topic
CVSS 10.0, three-day deadline, sixth Cisco SD-WAN CVE in 2026; how many SD-WAN management planes remain exposed?
Timeline for CVE-2026-20182
UAT-8616 keeps Cisco SD-WAN under fire
Cybersecurity: Threats and DefencesMentioned in: Patch Tuesday clean streak hides out-of-band KEVs
Cybersecurity: Threats and Defences- What is CVE-2026-20182 in Cisco SD-WAN?
- CVE-2026-20182 is a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Manager and Controller. An attacker can claim to be a legitimate SD-WAN device on DTLS port 12346 without valid credentials, gaining full access to the SD-WAN management plane. UAT-8616, a China-linked threat cluster, was confirmed exploiting it as of 14 May 2026.Source: CISA / Help Net Security
- What is CISA Emergency Directive ED 26-03?
- ED 26-03 is a CISA emergency directive issued on 14 May 2026 requiring federal civilian agencies to remediate Cisco SD-WAN CVE-2026-20182 within three days (by 17 May 2026). It is one of the shortest federal remediation windows issued under emergency directive authority.Source: CISA
- Am I vulnerable to CVE-2026-20182 if I use Cisco SD-WAN?
- CVE-2026-20182 requires the vdaemon DTLS port 12346 to be accessible. Cisco's hardening guides explicitly recommend against exposing this port to untrusted networks. Organisations that followed Cisco's deployment guidance would not have an internet-facing vdaemon surface. All SD-WAN Manager and Controller instances should be assessed against Cisco's published hardening configuration.Source: Cisco Talos
Background
CVE-2026-20182 is a CVSS 10.0 authentication bypass vulnerability in Cisco Catalyst SD-WAN Manager and Controller, affecting the vdaemon service over DTLS port 12346. The flaw allows a peer device to claim vHub status without certificate verification, gaining authenticated access to the SD-WAN management plane. CISA added it to the Known Exploited Vulnerabilities catalogue on 14 May 2026 and simultaneously issued Emergency Directive ED 26-03 with a three-day federal remediation window expiring on 17 May. The three-day window is among the shortest ever issued under ED authority, reflecting CISA's assessment of exploitation velocity.
UAT-8616 is the confirmed exploiting actor. Post-compromise activity includes SSH key injection, NETCONF configuration manipulation, account creation, and log clearing, achieving persistent access to the SD-WAN management plane. The actor also chains CVE-2022-20775 via software-version downgrade for root escalation. CVE-2026-20182 is the sixth Cisco SD-WAN CVE exploited and catalogued in 2026, representing a sustained adversary investment in a product family that controls traffic routing and encryption keys across enterprise WAN overlays.
The vdaemon DTLS port 12346 was designed for high-performance SD-WAN tunnel establishment with throughput prioritised over strict authentication. The authentication bypass window reflects an architectural trade-off made at design time that is structurally difficult to close without protocol re-architecture. For defenders, Cisco's own hardening guides warn against exposing the DTLS port to the internet; CVE-2026-20182 is critically severe only in configurations where that guidance was not followed.
