[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpKnYfHWtmvXhn9deiVWtkSTUkfkNiiqRJ-xPyEGY-KY":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"44b2ee87-d276-4d77-b9d7-ec541dcff4f9","Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks","cisco-warns-of-new-critical-sd-wan-flaw-exploited-in-zero-day-attacks-21a961","Cisco is warning that a critical Catalyst SD-WAN Controller authentication bypass flaw, tracked as CVE-2026-20182, was actively exploited in zero-day attacks that allowed attackers to gain administrative privileges on compromised devices. [...]","Cisco disclosed CVE-2026-20182, a critical authentication bypass flaw in Catalyst SD-WAN Controller and Manager (CVSS 10.0) that was actively exploited in zero-day attacks to gain administrative privileges. Attackers could bypass peering authentication to register rogue devices in SD-WAN fabrics, potentially enabling lateral network movement. CISA mandated federal agency patching by May 17, 2026, and Cisco released security updates with mitigation guidance.","Cisco patches critical SD-WAN Controller authentication bypass (CVE-2026-20182) exploited in active zero-day attacks.","Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks By Lawrence Abrams May 14, 2026 04:09 PM 0 Cisco is warning that a critical Catalyst SD-WAN Controller authentication bypass flaw, tracked as CVE-2026-20182, was actively exploited in zero-day attacks that allowed attackers to gain administrative privileges on compromised devices. CVE-2026-20182 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager in on-prem and SD-WAN Cloud deployments. In an advisory published today, Cisco said the issue stems from a peering authentication mechanism that \"is not working properly.\" \"This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system,\" reads the Cisco CVE-2026-20182 advisory. \"A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.\" Cisco Catalyst SD-WAN is a software-based networking platform that connects branch offices, data centers, and cloud environments through a centrally managed system. It uses a controller to securely route traffic between sites over encrypted connections. The company says it detected threat actors exploiting the flaw in May, but did not share any details regarding how it was exploited. However, shared indicators of compromise (IOCs) warn admins to check for unauthorized peering events in the SD-WAN Controller logs, which could indicate attempts to register rogue devices within the SD-WAN fabric. By adding a rogue peer, an attacker could insert a malicious device into the SD-WAN environment that appears legitimate. That device could then establish encrypted connections and advertise networks under the attacker's control, potentially allowing them to move deeper into an organization's network. The flaw was discovered by Rapid7 while researching a different Cisco SD-WAN controller vulnerability, tracked as CVE-2026-20127, which was fixed in February. CVE-2026-20127 was also exploited in zero-day attacks by a threat actor tracked as \"UAT-8616\" since 2023 to create rogue peers in organizations. Cisco has released security updates to address the vulnerability and says there are no workarounds that fully mitigate the issue. The company also recommends restricting access to SD-WAN management and control-plane interfaces to trusted internal networks or to authorized IP addresses only, and reviewing authentication logs for suspicious login activity. CISA has added the Cisco CVE-2026-20182 flaw to the Known Exploited Vulnerabilities Catalog, ordering federal agencies to patch affected devices by May 17, 2026. Indicators of compromise Cisco is urging organizations to review logs from any internet-exposed Catalyst SD-WAN Controller systems for events that may indicate unauthorized access or peering events. The company says that admins should review \u002Fvar\u002Flog\u002Fauth.log for entries showing \"Accepted publickey for vmanage-admin\" from unknown IP addresses: 2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY] Administrators should compare IP addresses in logs with the configured System IPs listed in the Cisco Catalyst SD-WAN Manager web UI, under WebUI > Devices > System IP. If an unknown IP address successfully authenticated, administrators should consider the device to be compromised and open a Cisco TAC case. Cisco also recommends reviewing SD-WAN Controller logs for unauthorized peering activity, as attackers may attempt to register rogue devices within the SD-WAN fabric. Jul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanagepeer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005 Cisco strongly recommends upgrading to a fixed software release, as this is the only way to fully remediate CVE-2026-20182. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: Ivanti fixes EPMM zero-days chained in code execution attacksCISA flags new SD-WAN flaw as actively exploited in attacksTrend Micro warns of Apex One zero-day exploited in the wildMicrosoft warns of new Defender zero-days exploited in attacksHackers bypass SonicWall VPN MFA due to incomplete patching","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcisco-warns-of-new-critical-sd-wan-flaw-exploited-in-zero-day-attacks\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2024\u002F07\u002F18\u002FCisco.jpg","2026-05-14T20:09:56+00:00","2026-05-14T22:00:11.160564+00:00",9,[18,21,24,26,29,31],{"name":19,"type":20},"Cisco","vendor",{"name":22,"type":23},"Catalyst SD-WAN Controller","product",{"name":25,"type":23},"Catalyst SD-WAN Manager",{"name":27,"type":28},"UAT-8616","threat_actor",{"name":30,"type":20},"Rapid7",{"name":32,"type":33},"NETCONF","technology","574f766a-fb3f-487c-8d2c-0720ae75471b",{"id":34,"icon":36,"name":37,"slug":38},null,"Zero-day","zero-day",[40,45,50],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":51},{"id":52,"icon":36,"name":53,"slug":54},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[56,60,63,67],{"type":57,"value":58,"context":59},"cve","CVE-2026-20182","Critical authentication bypass in Cisco Catalyst SD-WAN Controller, actively exploited in zero-day attacks",{"type":57,"value":61,"context":62},"CVE-2026-20127","Related SD-WAN Controller vulnerability fixed in February, also exploited by UAT-8616 since 2023",{"type":64,"value":65,"context":66},"mitre_attack","T1556 (Modify Authentication Process)","Authentication bypass via peering mechanism manipulation",{"type":64,"value":68,"context":69},"T1078 (Valid Accounts)","Attacker logs in as high-privileged vmanage-admin account"]