CVE-2026-20182

May 15, 2026, 12:45 p.m.

10.0
Critical

Description

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.  A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

Product(s) Impacted

Vendor Product Versions
Cisco
  • Catalyst Sd-wan Manager
  • Sd-wan Vsmart Controller
  • *, 20.12.7
  • *, 20.12.7

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a cisco catalyst_sd-wan_manager / / / / / / / /
a cisco catalyst_sd-wan_manager / / / / / / / /
a cisco catalyst_sd-wan_manager / / / / / / / /
a cisco catalyst_sd-wan_manager / / / / / / / /
a cisco catalyst_sd-wan_manager / / / / / / / /
a cisco catalyst_sd-wan_manager / / / / / / / /
a cisco catalyst_sd-wan_manager / / / / / / / /
a cisco catalyst_sd-wan_manager 20.12.7 / / / / / / /
a cisco sd-wan_vsmart_controller / / / / / / / /
a cisco sd-wan_vsmart_controller / / / / / / / /
a cisco sd-wan_vsmart_controller / / / / / / / /
a cisco sd-wan_vsmart_controller / / / / / / / /
a cisco sd-wan_vsmart_controller / / / / / / / /
a cisco sd-wan_vsmart_controller / / / / / / / /
a cisco sd-wan_vsmart_controller / / / / / / / /
a cisco sd-wan_vsmart_controller 20.12.7 / / / / / / /

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20182

Tags

CWE-287
[email protected]
2026-05-14
CVE-2026-20182

CVSS Score

10.0 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: May 14, 2026, 5:16 p.m.
Last Modified: May 15, 2026, 12:45 p.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

[email protected]

Relations

Here is the list of observables linked to the vulnerability CVE-2026-20182 using threat intelligence.

  • Sliver
  • XMRig
  • gsocket
  • KScan
  • AdaptixC2
  • XenShell
  • Nimplant
  • Godzilla
  • Behinder
  • Catalyst SD-WAN
  • Catalyst SD-WAN
  • UAT-8616

Linked Attack Reports

Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

Cisco Talos tracks active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, allowing remote attackers to obtain administrative privileges. The exploitation is attributed to UAT-8616, a sophisticated threat actor previously involv…
xmrig
credential theft
sliver
godzilla
behinder
webshells
gsocket
cryptocurrency mining
authentication bypass
cisco
adaptixc2
CVE-2026-20122
CVE-2026-20127
CVE-2026-20128
CVE-2026-20133
2026-05-14
CVE-2026-20182
kscan
nimplant
sd-wan
xenshell
Published: May 14, 2026
Linked vulnerabilities : CVE-2025-20333 (CVSS 9.9), CVE-2025-20362 (CVSS 6.5), CVE-2026-20122 (CVSS 5.4), CVE-2026-20127 (CVSS 10.0), CVE-2026-20128 (CVSS 7.5), CVE-2026-20133 (CVSS 6.5), CVE-2026-20182 (CVSS 10.0)
Downloadable IOCs: 24

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.