
CVE-2026-20182
A CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Manager and Controller, exploited by UAT-8616; CISA KEV added 14 May 2026 with Emergency Directive ED 26-03.
Last refreshed: 20 May 2026 · Appears in 1 active topic
CVSS 10.0, three-day deadline, sixth Cisco SD-WAN CVE in 2026; how many SD-WAN management planes remain exposed?
Timeline for CVE-2026-20182
Cisco tops a five-vendor KEV batch
Cybersecurity: Threats and DefencesWeaponised to deliver Cobalt Strike, miners and Sodinokibi onto compromised hosts
Cybersecurity: Threats and Defences: WebLogic flaw revived as ransomware vectorMentioned in: AI orchestration flaw joins CISA's KEV
Cybersecurity: Threats and DefencesUAT-8616 keeps Cisco SD-WAN under fire
Cybersecurity: Threats and DefencesMentioned in: Patch Tuesday clean streak hides out-of-band KEVs
Cybersecurity: Threats and DefencesWhat is CVE-2026-20182 in Cisco SD-WAN?
What is CISA Emergency Directive ED 26-03?
Am I vulnerable to CVE-2026-20182 if I use Cisco SD-WAN?
Background
CVE-2026-20182 is a CVSS 10.0 authentication bypass vulnerability in Cisco Catalyst SD-WAN Manager and Controller, affecting the vdaemon service over DTLS port 12346. The flaw allows a peer device to claim vHub status without certificate verification, gaining authenticated access to the SD-WAN management plane. CISA added it to the Known Exploited Vulnerabilities catalogue on 14 May 2026 and simultaneously issued Emergency Directive ED 26-03 with a three-day federal remediation window expiring on 17 May. The three-day window is among the shortest ever issued under ED authority, reflecting CISA's assessment of exploitation velocity.
UAT-8616 is the confirmed exploiting actor. Post-compromise activity includes SSH key injection, NETCONF configuration manipulation, account creation, and log clearing, achieving persistent access to the SD-WAN management plane. The actor also chains CVE-2022-20775 via software-version downgrade for root escalation. CVE-2026-20182 is the sixth Cisco SD-WAN CVE exploited and catalogued in 2026, representing a sustained adversary investment in a product family that controls traffic routing and encryption keys across enterprise WAN overlays.
The vdaemon DTLS port 12346 was designed for high-performance SD-WAN tunnel establishment with throughput prioritised over strict authentication. The authentication bypass window reflects an architectural trade-off made at design time that is structurally difficult to close without protocol re-architecture. For defenders, Cisco's own hardening guides warn against exposing the DTLS port to the internet; CVE-2026-20182 is critically severe only in configurations where that guidance was not followed.