Critical Cisco SD-WAN Flaw Actively Exploited As Researchers Warn Of Authentication Bypass Risk

A critical vulnerability in Cisco Catalyst SD-WAN Controller is already being exploited by attackers, prompting urgent warnings for organisations using affected systems.

The flaw, tracked as CVE-2026-20182, is an authentication bypass vulnerability with a maximum CVSS severity score of 10.0. If successfully exploited, it could allow an attacker to bypass authentication and gain administrative access to an affected server.

Cisco released a security advisory and software updates for the vulnerability on May 14, 2026, after researchers identified the issue while investigating a separate flaw in the same service. The U.S. Cybersecurity and Infrastructure Security Agency has also added CVE-2026-20182 to its Known Exploited Vulnerabilities catalog, signalling active exploitation and the need for immediate remediation.

Cisco Talos has said the exploitation activity observed so far appears limited, with the activity attributed to a threat actor tracked as UAT-8616. The same actor has previously been linked to exploitation of another Cisco Catalyst SD-WAN vulnerability, CVE-2026-20127.

Researchers at Rapid7 discovered CVE-2026-20182 while examining CVE-2026-20127, which had also been exploited in the wild. Both vulnerabilities involve the vdaemon service, which operates over DTLS, although Rapid7 has stressed that the new flaw is not a patch bypass. Instead, it is a separate vulnerability located in the same area of the daemon networking stack.

The rapid exploitation of CVE-2026-20182 highlights the continuing risk facing organisations that rely on internet-connected network infrastructure. SD-WAN controllers are high-value targets because they sit at the centre of enterprise connectivity, routing and policy enforcement. A successful compromise could give attackers a powerful foothold inside an organisation’s network environment.

Security teams are being urged to apply Cisco’s available updates as soon as possible, review exposure of SD-WAN management infrastructure, inspect logs for unusual peering or authentication activity, and escalate suspected compromise through appropriate incident response channels. Cisco has indicated that software updates are the required fix for affected systems.

The incident is another reminder that cybersecurity skills are no longer optional for IT, networking and business technology teams. As attackers move quickly from disclosure to exploitation, organisations need people who can understand vulnerabilities, respond to threats and harden systems before attackers find the gaps.

For professionals looking to strengthen those capabilities, Hack Academy’s online training programmes offer a practical pathway to upskill in cybersecurity, build defensive knowledge and better prepare for the real-world threats now targeting critical enterprise infrastructure.

Photo Credit: DepositPhotos.com