Cisco Catalyst SD-WAN CVE-2026-20182: KEV Control-Plane Exposure

Suspected
Discovered May 26, 2026

CISA added Cisco Catalyst SD-WAN CVE-2026-20182 to KEV on 2026-05-14. Cisco confirmed limited exploitation, published fixed releases, and documented vmanage-admin authentication and anomalous control-connection evidence for compromise review.

0
Affected Packages
0
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script

Analysis

Executive Summary

CISA added CVE-2026-20182 to KEV on 2026-05-14 with due date 2026-05-17 CISA KEV opens in a new tab. Cisco describes an authentication bypass affecting Catalyst SD-WAN Controller and Catalyst SD-WAN Manager. Successful exploitation creates access as an internal, high-privileged, non-root account on a Controller; that account can access NETCONF and manipulate SD-WAN fabric configuration Cisco opens in a new tab.

Cisco reported limited exploitation in May 2026. This article uses Cisco's fixed-release table and CVE-specific authentication and control-connection indicators, supplemented by CISA ED 26-03's broader SD-WAN hunt artifacts Cisco opens in a new tab, CISA Supplemental Direction opens in a new tab.

Key Facts

Cve: CVE-2026-20182

Vendor: Cisco

Product: Catalyst SD-WAN Controller and Catalyst SD-WAN Manager

Kev Added: 2026-05-14

Kev Due: 2026-05-17

Vulnerability: Authentication bypass to administrative privileges

Cwe:

  • CWE-287

Cvss V31: 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerable Product Scope: Controller and Manager across on-prem, Cloud-Pro, Cisco-managed cloud, and FedRAMP deployments

First Fixed Releases:

  • 20.9: 20.9.9.1
  • 20.10: 20.12.7.1
  • 20.11: 20.12.7.1
  • 20.12: 20.12.5.4,20.12.6.2,20.12.7.1
  • 20.13: 20.15.5.2
  • 20.14: 20.15.5.2
  • 20.15: 20.15.4.4,20.15.5.2
  • 20.16: 20.18.2.2
  • 20.18: 20.18.2.2
  • 26.1: 26.1.1.1
  • cloud_managed: 20.15.506

Exploitation Status: limited exploitation confirmed by Cisco; CISA KEV and ED 26-03

Evidence Assessment

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceRemediation triggerClosure condition
Confirmed compromiseExported Cisco SD-WAN artifacts show rogue peering, root SSH, downgrade/reversion, anomalous users, or log clearing on a vulnerable deployment.Fixed-release comparison plus artifact lines from CISA selectors.Preserve vManage/vSmart/vBond artifacts and deploy fresh patched OVA/QCOW2 images when root compromise is identified per CISA guidance.Fixed release is verified and artifact hunt has no unresolved root, rogue peer, downgrade, or log-clearing evidence.
Presumed exposedCatalyst SD-WAN Controller or Manager runs below Cisco's first fixed release for its train.Product export, scanner row, or admin UI export with exact release.Keep the control plane in scope until fixed-release proof exists.Version verifier returns a fixed release for the train.
Potentially exposedCatalyst SD-WAN appears in inventory but release, deployment type, or artifact export is missing.CMDB, scanner, device export, or service evidence.Collect release and artifact bundle evidence.Asset resolves to confirmed compromise, presumed exposed, not exposed, or unknown.
Not exposedNo Controller/Manager asset exists, or release is at a Cisco fixed release.Negative inventory or fixed-release output.None for this CVE.Evidence is attached to the control-plane asset record.
UnknownRelease or device artifacts are unavailable.Gap statement naming unavailable assets or exports.Keep SD-WAN management/control-plane assets in scope.Evidence is recovered or the risk owner accepts the named gap.

What Happened

Cisco's advisory scopes the vulnerable products to Catalyst SD-WAN Controller and Manager across all deployment types. Cisco's CVE-specific review starts with /var/log/auth.log entries for Accepted publickey for vmanage-admin from an unknown address, validation of control-plane peers, and show control connections detail or history output showing an established connection with no challenge-ack. CISA's supplemental direction adds broader host triage for downgrade/reversion, SSH abuse, anomalous users, and log clearing.

Technical Analysis

The flaw is in control-connection peering authentication. Crafted requests can produce a high-privilege Controller session with NETCONF access, enabling SD-WAN fabric configuration changes. Preserve an admin-tech bundle from every control component before upgrading. CISA's broader guidance names artifacts under /var/volatile/log, /var/log/tmplog, /home/*/.ssh, /etc/ssh/sshd_config, /var/log/wtmp, /var/log/btmp, and /etc/passwd. The scripts below operate on exported artifacts and release inventory to avoid requiring live device credentials. [1]

Affected Assets and Blast Radius

Asset Selectors:

  • Cisco Catalyst SD-WAN Controller
  • Cisco Catalyst SD-WAN Manager
  • vManage
  • CVE-2026-20182

Control Plane Artifacts:

  • /var/volatile/log/vdebug
  • /var/log/tmplog/vdebug
  • /var/volatile/log/sw_script_synccdb.log
  • /home/vmanage-admin/.ssh/authorized_keys
  • /home/root/.ssh/authorized_keys
  • /etc/ssh/sshd_config
  • /var/log/wtmp
  • /var/log/btmp
  • /etc/passwd

Highest Value Audit Targets:

  • Accepted publickey for vmanage-admin from an unknown or unauthorized address
  • unexpected vmanage control-plane peers
  • state:up with challenge-ack 0 in control-connection detail
  • root SSH access
  • authorized_keys changes
  • rogue control-plane peering
  • version downgrade and application reversion
  • zero-byte wtmp, lastlog, or bash history

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Remediation and Closure

The following Python script is provided to scan, verify, or query the system telemetry:

#!/usr/bin/env python3
import csv
import json
import os
import re
import sys
from pathlib import Path

ASSET_EXPORT = Path(os.environ.get("ASSET_EXPORT", sys.argv[1] if len(sys.argv) > 1 else "sdwan-assets.csv")).resolve()
OUT = Path(os.environ.get("OUT", "hp-cisco-sdwan-cve-2026-20182-closure")).resolve()
CVE = "CVE-2026-20182"
FIXED = ["20.9.9.1", "20.12.5.4", "20.12.6.2", "20.12.7.1", "20.15.4.4", "20.15.5.2", "20.18.2.2", "26.1.1.1", "20.15.506"]
SOURCE = "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW"

def vt(value):
    return tuple(int(x) for x in re.findall(r"\d+", str(value))[:5])

def ge(left, right):
    l, r = vt(left), vt(right)
    width = max(len(l), len(r), 1)
    return l + (0,) * (width - len(l)) >= r + (0,) * (width - len(r))

def row_iter(path):
    if not path.exists():
        raise SystemExit(f"ASSET_EXPORT not found: {path}")
    if path.suffix.lower() == ".csv":
        with path.open(newline="", encoding="utf-8", errors="ignore") as handle:
            yield from csv.DictReader(handle)
    else:
        data = json.loads(path.read_text(encoding="utf-8", errors="ignore"))
        if isinstance(data, list):
            yield from data
        else:
            for key in ("assets", "devices", "controllers", "managers", "rows"):
                if isinstance(data.get(key), list):
                    yield from data[key]

def closest_fixed(version):
    candidates = [f for f in FIXED if vt(f)[:2] == vt(version)[:2] or vt(f)[0] == vt(version)[0]]
    return candidates[0] if candidates else ""

OUT.mkdir(parents=True, exist_ok=True)
results = []
for idx, row in enumerate(row_iter(ASSET_EXPORT), start=1):
    text = json.dumps(row, sort_keys=True)
    if "Catalyst SD-WAN" not in text and "vManage" not in text and CVE not in text:
        continue
    match = re.search(r"(?<!\d)(20\.\d+\.\d+(?:\.\d+)?|26\.1\.\d+\.\d+)(?!\d)", text)
    version = match.group(1) if match else ""
    fixed_target = closest_fixed(version) if version else ""
    fixed = bool(version and fixed_target and ge(version, fixed_target))
    results.append({"row": idx, "cve": CVE, "source": SOURCE, "detected_release": version, "target_fixed_release": fixed_target, "fixed_release_proven": fixed, "row_data": row})

(OUT / "cisco-sdwan-cve-2026-20182-release-verification.json").write_text(json.dumps(results, indent=2, sort_keys=True), encoding="utf-8")

# Remediation trigger: fixed_release_proven false for any Catalyst SD-WAN Controller or Manager keeps CVE-2026-20182 open.
print(json.dumps({"out": str(OUT), "checked": len(results), "not_closed": [r for r in results if not r["fixed_release_proven"]]}, indent=2))

Downstream Abuse Audits

Compromised workstations expose active API credentials, requiring immediate rotated revocation. The following platforms are at risk:

  • GitHub OIDC and PATs: Attackers harvested SSH private keys and Git Personal Access Tokens. Auditors must inspect recent action runs and release logs during the exposure window.
  • Cloud IAM Credentials: AWS, Azure, and GCP session tokens. CloudTrail and Activity Logs should be queried for AssumeRole or write operations originating from unexpected IP addresses.
  • NPM and Package Registries: Publishing tokens and credentials. Registry profiles must be audited for unauthorized version publishes or token additions.

Sources

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
May 26, 2026Cisco Catalyst SD-WAN CVE-2026-20182: KEV Control-Plane ExposureUnknowncisa.gov
May 26, 2026First seenFirst seen recorded for Cisco Catalyst SD-WAN CVE-2026-20182: KEV Control-Plane Exposure.cisa.gov
May 26, 2026DiscoveryDiscovery recorded for Cisco Catalyst SD-WAN CVE-2026-20182: KEV Control-Plane Exposure.cisa.gov
May 26, 2026DisclosureDisclosure recorded for Cisco Catalyst SD-WAN CVE-2026-20182: KEV Control-Plane Exposure.cisa.gov

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Cisco Catalyst SD-WAN CVE-2026-20182: KEV Control-Plane Exposure?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabcisa.gov

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Cisco Catalyst SD-WAN CVE-2026-20182: KEV Control-Plane Exposure?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-cisco-sdwan-cve-2026-20182-kev-scope"))


# Collect unique indicators
indicators = set()
for group in []:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
cisa.govSecurity Researcher95%4CISA added Cisco Catalyst SD-WAN CVE-2026-20182 to KEV on 2026-05-14. Cisco confirmed limited exploitation, published fixed releases, and documented vmanage-admin authentication and anomalous control-connection evidence for compromise review.
sec.cloudapps.cisco.comSecurity Researcher95%1CISA added Cisco Catalyst SD-WAN CVE-2026-20182 to KEV on 2026-05-14. Cisco confirmed limited exploitation, published fixed releases, and documented vmanage-admin authentication and anomalous control-connection evidence for compromise review.
nvd.nist.govSecurity Researcher95%1CISA added Cisco Catalyst SD-WAN CVE-2026-20182 to KEV on 2026-05-14. Cisco confirmed limited exploitation, published fixed releases, and documented vmanage-admin authentication and anomalous control-connection evidence for compromise review.