Cisco Catalyst SD-WAN Controller Critical Authentication Bypass Flaw Exploited in Zero-Day Attacks – May 2026
Impact Assessment Rationale
MEDIUM: Admin recalibration. The event has a plausible London Market pathway, but the current evidence does not support HIGH: no confirmed market-moving insured loss, vessel total loss, major closure, quantified claims estimate, reinsurance trigger, or broad pricing/capacity response is evidenced.
View assessment methodology →Loading map...
Summary
Cisco has issued a warning regarding a critical authentication bypass vulnerability in its Catalyst SD-WAN Controller, tracked as CVE-2026-20182, which has been actively exploited in zero-day attacks. The flaw enables attackers to gain administrative privileges on compromised devices. The exploitation of SD-WAN infrastructure poses significant risks to enterprise and critical infrastructure networks globally, as SD-WAN controllers are widely deployed across corporate and government environments.
This summary is AI-generated from linked source reports and may change as more information becomes available. See our correction policy for how to report errors.
Structured Intelligence
known
- Cisco has officially warned of the vulnerability CVE-2026-20182 affecting Catalyst SD-WAN Controllers.
- The flaw is classified as critical and involves an authentication bypass.
- The vulnerability has been actively exploited in zero-day attacks.
- Exploitation allows attackers to gain administrative privileges on compromised devices.
reported
- The attacks appear to have targeted SD-WAN infrastructure broadly, with global implications.
uncertain
- The identity or attribution of the threat actors exploiting the zero-day is not confirmed in the source.
- The full scope and number of affected organisations is not disclosed.
- Whether a patch or mitigation has been released is not confirmed from the source excerpt.
Key Entities
Sources
Trade Media
- BleepingComputer14 May 2026, 20:55
- The Record (Cyber)18 May 2026, 10:54
Timeline
Status changed to monitoring
Auto-transitioned: no updates for 6 hours
Lifecycle changed
active → monitoring
Status changed to active
remediation: existing active criteria met
Lifecycle changed
developing → active
Impact changed
high → medium
Status changed to developing
Auto-promoted: multiple sources
Corroborating source
The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to apply a patch for an actively exploited vulnerability in Cisco SD-WAN systems by Sunday. The flaw allows an unauthenticated remote attacker to bypass authentication and gain administrative privileges on affected systems. Cisco released a patch on Thursday alongside an advisory disclosing the severity of the vulnerability. The directive signals active exploitation in the wild, raising concerns for critical infrastructure and enterprise network security.
Cisco released a patch for the vulnerability on Thursday, writing in an advisory that it could "allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system."
Source: The Record (Cyber) (Trade Media) · View source
Initial Detection
Cisco has issued a warning regarding a critical authentication bypass vulnerability in its Catalyst SD-WAN Controller, tracked as CVE-2026-20182, which has been actively exploited in zero-day attacks. The flaw enables attackers to gain administrative privileges on compromised devices. The exploitation of SD-WAN infrastructure poses significant risks to enterprise and critical infrastructure networks globally, as SD-WAN controllers are widely deployed across corporate and government environments.
Cisco is warning that a critical Catalyst SD-WAN Controller authentication bypass flaw, tracked as CVE-2026-20182, was actively exploited in zero-day attacks that allowed attackers to gain administrative privileges on compromised devices.
Source: BleepingComputer (Trade Media) · View source