Patch now: Cisco’s SD-WAN Controller has a critical auth bypass flaw being exploited to gain admin rights.
- Cisco confirms CVE-2026-20182 is exploited in the wild
- Bug scores 10.0 CVSS severity, highest possible
- Attackers bypass authentication to gain admin access
Cisco issued fixes for a critical authentication bypass flaw in its Catalyst SD-WAN Controller that attackers are already exploiting. The vulnerability, tracked as CVE-2026-20182, sits in the peering authentication system of the SD-WAN Controller—formerly called vSmart—and the SD-WAN Manager, formerly vManage. It lets unauthorized users log in as admins without needing valid credentials.
The flaw earns a perfect 10.0 on the CVSS severity scale, the highest possible rating. Cisco says the bug has been exploited in a small number of attacks, but didn’t share details about victims, timing, or attacker motives. The company warns that successful exploitation could let attackers take full control of affected systems, steal data, or move laterally across networks.
Cisco’s advisory lists two vulnerable products: Catalyst SD-WAN Controller releases earlier than 20.12.5 and Catalyst SD-WAN Manager releases before 20.12.3. The company patched both products in mid-December 2024, and strongly urges admins to update immediately.
Why this flaw is so dangerous
Most network devices check credentials before granting access, but this bug skips that step entirely. Attackers don’t need stolen passwords, phished credentials, or valid tokens—they just exploit how the SD-WAN Controller handles peering authentication. Once inside, they inherit admin rights, letting them reroute traffic, install malware, or eavesdrop on internal communications. The lack of credentials means even well-defended networks can fall victim if they run unpatched software.
Security researchers at The Hacker News first reported the flaw after seeing active exploitation attempts. They noted that the flaw targets a core component used to authenticate SD-WAN devices, making it especially risky for enterprises relying on Cisco’s platform for branch connectivity. The bug’s simplicity and high impact mirror past flaws like CVE-2021-44228 in Log4j, where a single oversight led to massive exploitation worldwide.
Who’s at risk and what to do
Any organization running Cisco’s Catalyst SD-WAN Controller or Manager before the December 2024 updates is vulnerable. That includes enterprises with branch offices, retail chains, hospitals, and government agencies using Cisco’s SD-WAN tech. Attackers could exploit the flaw remotely if the SD-WAN devices are exposed to the internet, though many companies keep them isolated. Cisco’s advisory recommends admins check their device versions immediately and apply updates.
Cisco also suggests admins review firewall rules to restrict access to SD-WAN devices, enable multi-factor authentication where possible, and monitor logs for unusual login attempts. The company didn’t release an official workaround for unpatched systems, so updating is the only reliable fix. For organizations that can’t patch right away, isolating the SD-WAN Controller from untrusted networks is a temporary safeguard.
What happens next
Cisco’s quick response—patching within weeks of discovery—helps limit damage, but the flaw highlights a growing trend: attackers targeting SD-WAN infrastructure to bypass traditional security layers. SD-WAN devices often sit at the edge of corporate networks, making them prime targets for espionage or ransomware groups. This incident follows a string of similar flaws in networking gear, including Cisco’s own ASA and Nexus products.
Enterprises should treat this as a wake-up call to audit their SD-WAN deployments. That means checking version numbers, enabling strict access controls, and treating every SD-WAN device as a high-value asset. The cat-and-mouse game between vendors and attackers won’t slow down, and flaws like this one prove that even critical infrastructure isn’t safe from exploitation.
What You Need to Know
- Source: The Hacker News
- Published: May 14, 2026 at 17:45 UTC
- Category: Security
- Topics: #hackernews · #security · #vulnerabilities · #vulnerability · #cisco-catalyst · #controller-auth-bypass
Read the Full Story
This is a curated summary. For the complete article, original data, quotes and full analysis:
All reporting rights belong to the respective author(s) at The Hacker News. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.
Curated by GlobalBR News · May 14, 2026
🇧🇷 Resumo em Português
Um bug crítico no software de gerenciamento de redes da Cisco está expondo empresas brasileiras a ataques cibernéticos que podem dar controle total aos invasores. A vulnerabilidade, classificada como CVE-2026-20182, permite que criminosos burlem a autenticação no Catalyst SD-WAN Controller, uma ferramenta amplamente usada por grandes corporações e provedores de internet para gerenciar conexões seguras entre filiais e data centers.
O problema afeta diretamente o Brasil, onde muitas organizações dependem de soluções SD-WAN para otimizar suas redes, especialmente em setores como telecom, finanças e indústria. Especialistas em segurança digital alertam que, sem atualizações imediatas, invasores poderiam assumir privilégios de administrador, roubar dados sensíveis ou até mesmo derrubar serviços essenciais. A Cisco já liberou patches corretivos, mas o risco persiste enquanto empresas atrasam a aplicação das correções, demonstrando mais uma vez como a negligência na cibersegurança pode abrir portas para prejuízos incalculáveis.
A expectativa agora é de que empresas brasileiras e de todo o mundo acelerem a atualização de seus sistemas, enquanto os cibercriminosos já devem estar escaneando a internet em busca de alvos vulneráveis — a corrida contra o tempo já começou.
The Hacker News
Read full article at The Hacker News →This post is a curated summary. All rights belong to the original author(s) and The Hacker News.
Was this article helpful?
Discussion