The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Cisco Catalyst SD-WAN to its Known Exploited Vulnerabilities catalog.The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Cisco Catalyst SD-WAN, tracked as CVE-2026-20182 (CVSS score of 10.0), to its Known Exploited Vulnerabilities (KEV) catalog.Cisco fixed CVE-2026-20182, a flaw in SD-WAN control connection handshaking and peering authentication in Catalyst SD-WAN Controller (vSmart) and Manager (vManage). An unauthenticated remote attacker can send crafted requests to bypass authentication due to a validation failure. Successful exploitation lets the attacker gain administrative access, obtain a high-privilege internal account, use NETCONF, and modify SD-WAN network configurations across the fabric.“A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.” reads the advisory. “This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”In May 2026, Cisco PSIRT detected limited real-world exploitation of the vulnerability and urges customers to upgrade to a fixed software version to address the issue.Rapid7 researchers said CVE-2026-20182 resembles the previously exploited CVE-2026-20127, another critical authentication bypass in Cisco’s SD-WAN vdaemon service over DTLS on UDP port 12346. Although researchers confirmed the new flaw is not a patch bypass, it affects a similar part of the networking stack and leads to the same result. A remote unauthenticated attacker can exploit the vulnerability to impersonate a trusted peer and perform privileged operations on the targeted appliance.“This new authentication bypass vulnerability affects the “vdaemon” service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026-20127. The new vulnerability is not a patch bypass of CVE-2026-20127. It is a different issue located in a similar part of the “vdaemon” networking stack.” reads the report published by Rapid7, which discovered the issue. “This impact however is the same, a remote unauthenticated attacker can leverage CVE-2026-20182 to become an authenticated peer of the target appliance, and perform privileged operations, such as injecting an attacker controlled public key into the vmanage-admin user account’s authorized SSH keys file. Once this has been performed, a remote unauthenticated attacker can login to the NETCONF service (SSH over TCP port 830) as the vmanage-admin user, and begin to issue arbitrary NETCONF commands.”According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.CISA orders federal agencies to fix the vulnerability by May 17, 2026.Pierluigi PaganiniFollow me on Twitter: @securityaffairs and Facebook and Mastodon(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)