Cisco disclosed a CVSS 10.0 authentication bypass vulnerability (CVE-2026-20182) in its Catalyst SD-WAN Manager that was being actively exploited before the patch was available. The flaw enables an unauthenticated attacker to access the SD-WAN management interface and inject rogue SD-WAN devices into the managed network fabric, effectively gaining the ability to intercept, reroute, or drop enterprise WAN traffic across any SD-WAN site in the affected deployment. CISA added the vulnerability to the Known Exploited Vulnerabilities catalogue on 14 May with a mandatory remediation deadline for federal agencies.
Technical Detail
Cisco Catalyst SD-WAN Manager (formerly vManage) provides centralised management and orchestration for Catalyst SD-WAN deployments. CVE-2026-20182 is an authentication bypass in the REST API authentication middleware that allows an unauthenticated request to obtain a valid session token under specific API version conditions. With a valid session token, an attacker has full administrative access to the SD-WAN management plane.
The consequence of management plane access in an SD-WAN deployment is severe: an attacker can inject a rogue vEdge or Catalyst router as a legitimate SD-WAN device, and configure policy routing to transparently forward traffic through the attacker-controlled device. This effectively creates an undetectable WAN man-in-the-middle position for any or all traffic flowing across the SD-WAN fabric.
Cisco’s threat intelligence teams observed exploitation prior to patch availability, with targeting focused on financial services and government sector deployments where WAN traffic interception provides intelligence value.
Affected Versions
| Platform | Affected Versions | Fixed Version |
|---|---|---|
| Catalyst SD-WAN Manager | 20.6.x, 20.9.x, 20.12.x prior to fixed release | 20.12.4 and later |
| Cisco vManage (legacy) | All releases prior to migration to Catalyst SD-WAN Manager | Migrate to fixed release |
Why It Matters
CVSS 10.0 is a rare designation reserved for vulnerabilities with the highest theoretical impact: network-accessible, no authentication required, no user interaction, and full system compromise. CVE-2026-20182 earns this rating because the SD-WAN management plane controls the entire WAN topology of an organisation — a compromise of SD-WAN Manager is a compromise of the organisation’s entire wide-area network.
The active exploitation prior to patch availability means that any Cisco Catalyst SD-WAN deployment with the Manager accessible from the internet or from untrusted network segments should be assumed potentially compromised if it was unpatched during the exposure window.
Recommended Actions
- Immediate: Determine if your Cisco Catalyst SD-WAN Manager is exposed to the internet or to untrusted network segments. If so, restrict network access to the management interface immediately pending patch deployment.
- Patch now: Apply the fixed software version. This is a CISA KEV entry with active exploitation — there is no acceptable delay in patching.
- Hunt for indicators: Review SD-WAN Manager audit logs for unexpected API calls, authentication events, and device registration activity from unusual source IPs. Look specifically for device additions made outside normal change management windows.
- Verify device inventory: Audit all registered SD-WAN devices in vManage to confirm each is a legitimate, known device. Remove any device that cannot be reconciled with physical hardware and change control records.
- Network isolation: If patching cannot be completed within 24 hours, isolate the SD-WAN Manager from all network access except a tightly controlled management network with source IP restrictions.
Share this article