10.0 Cisco Catalyst SD-WAN Controller bug added to CISA’s KEV list

The Cybersecurity and Infrastructure Security Agency (CISA) on May 14 added a maximum-severity 10.0 authentication bypass flaw for Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog.

CISA added the flaw to the KEV following Cisco Talos reporting in a blog post that the SD-WAN controller flaw was actively exploited and tied with “high confidence” by Cisco to UAT-8616, an alleged China-nexus group that has been targeting Cisco SD-WAN gear since at least 2023.

Cisco also released a patch for this new vulnerability, explaining that the flaw exists because the peering authentication mechanism in an affected system does not work properly. 

Kevin E. Greene, chief cybersecurity technology for public sector at BeyondTrust, said the CVSS 10.0 rating on CVE-2026-20182 is accurate and should drive immediate prioritization by security teams. However, Greene said the more important signal is the CVE vulnerability class itself: authentication bypass on network management infrastructure is the highest value target we’ve been seeing in threat actors’ playbook because it eliminates every friction point between external access and administrative control of the privilege plane.

“Threat actors are shifting to mobile device management, edge devices, and network infrastructure components because they govern everything below them,” explained Greene. “Think about it this way: If you can compromise the management plane, you can own everything it manages, and owning everything it manages is the ideal conditions for plane jumping.”

Darren Guccione, co-foundeer and CEO at Keeper Security, added that active exploitation of critical network infrastructure by a reported state-aligned threat actor is exactly the scenario that demands a mature, identity-first approach to access governance.

Guccione said CVE-2026-20182 carries a maximum severity score of 10.0 for good reason: an unauthenticated remote attacker can bypass authentication entirely and assume administrative control of the network control plane, determining how the entire environment routes traffic, enforces policy and manages access.

“CISA has mandated that federal civilian agencies remediate within three days, a timeline that reflects the severity of active, in-the-wild exploitation attributed to UAT-8616, the same state-aligned threat cluster responsible for a prior authentication bypass against the same Cisco SD-WAN product line,” said Guccione. “The consistency of the target, the tactic and the outcome is the signal. This actor has identified a reliable attack surface and is committed to it.”

Rogier Fischer, co-founder and CEO at Hadrian, said while multiple vulnerabilities have surfaced in edge connectivity platforms this year, this latest Cisco SD-WAN one stands out not only because of its critical rating and the potential for unauthenticated administrative control, but because it was discovered in the midst of investigating earlier exploitation. 

Fischer said that signals attackers have deeper operational knowledge of Cisco SD-WAN internals: they’ve likely reverse-engineered components and mapped authentication flows. 

“From a hacker's perspective this is a logical move, SD-WAN control planes are strategic targets and investing the effort to inside and out is clearly paying dividends,” said Fischer. “This is a reminder that when attackers understand system architecture deeply, vendors can’t just release a patch for a single flaw, they need for vendors to harden management-plane and review the trust relationships.”