Authentication bypass in Cisco Catalyst SD-WAN (CVE-2026-20182) — admin access without authentication, a perfect CVSS 10.0
Cisco's SD-WAN products, Catalyst SD-WAN Controller and Manager, have an authentication-bypass vulnerability that lets an unauthenticated remote attacker bypass authentication and obtain administrative privileges. CVSS is a perfect 10.0 (Critical). CISA listed it as known-exploited (KEV) and issued Emergency Directive 26-03.
Key facts
- CVE IDCVE-2026-20182
- CVSS base score10 CRITICAL
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- Affected (vendor / product)Cisco Catalyst SD-WAN
- CWECWE-287
- ExploitationListed in CISA KEV (exploitation confirmed)
- Remediation due2026-05-17 (U.S. federal civilian agencies, BOD 22-01)
Key points
- Authentication bypass (CWE-287) in Cisco Catalyst SD-WAN Controller/Manager
- An unauthenticated remote attacker obtains admin privileges = seizing the network control center
- CVSS is a perfect 10.0 (Critical). Listed in CISA KEV = exploitation confirmed
- CISA issued Emergency Directive 26-03 and hunt-and-hardening guidance
- Response: assess exposure and mitigate per the directive/guidance. Deadline was a short May 17, 2026
CVE-2026-20182 is an authentication-bypass vulnerability (CWE-287: improper authentication) in Cisco Catalyst SD-WAN Controller and Manager. It was added to CISA's KEV catalog on May 14, 2026.
Per NVD, an unauthenticated remote attacker can bypass authentication and obtain administrative privileges on an affected system. It is a near-worst-case flaw: network-reachable, low attack complexity, no privileges required, with maximum impact to confidentiality, integrity, and availability and impact spilling over to other components.
An SD-WAN Controller/Manager is the "control center" that centrally manages an enterprise's wide-area network. Seizing it without authentication could let an attacker alter network configuration or manipulate traffic — operations that ripple across the whole organization. Given the severity, CISA went beyond a standard KEV listing and issued Emergency Directive 26-03, requiring assessment of exposure, risk reduction, and adherence to hunt-and-hardening guidance.
Key response: follow CISA's Emergency Directive 26-03 and its hunt-and-hardening guidance for SD-WAN devices (URLs in the KEV Notes) to assess exposure and mitigate. For cloud use, follow BOD 22-01, and discontinue use if mitigations are unavailable. The federal civilian remediation deadline was a short May 17, 2026.
Why it matters
A perfect-10.0 authentication bypass on a network control plane — serious enough for the U.S. government to issue an emergency directive. Organizations running SD-WAN should immediately inventory external exposure, mitigate, and hunt for compromise. A prompt to revisit priority patching of perimeter/control devices.
FAQ
How severe is CVSS 10.0?
What is an Emergency Directive?
What should I do?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- Vendor / reference advisory
- Vendor / reference advisory
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).