Cisco has disclosed a max-severity authentication bypass vulnerability affecting its Catalyst SD-WAN Controller and Catalyst SD-WAN Manager platforms, warning that the flaw has already been found to be exploited in the wild.The disclosure follows an earlier authentication bypass vulnerability that Cisco patched in February. In the latest advisory, the company said the new flaw was identified while investigating the previously disclosed issue.“A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system,” Cisco said in an advisory.The company also confirmed that it became aware of “limited exploitation” of the flaw in May 2026. However, it did not disclose details about the attack or threat actors involved.The zero-day flaw is now fixed with software updates, and organizations are advised to apply fixes immediately, as there are no workarounds that address this bug.Attackers craft a connection for admin accessAccording to Cisco, the vulnerability stems from improper validation during the authentication process used to establish control connections between SD-WAN devices. It said an attacker could exploit the issue remotely by sending crafted control connection requests to a targeted system.Successful exploitation would allow the attacker to bypass authentication, establish themselves as trusted peers, and obtain administrative privileges to the affected device.“A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account,” Cisco said. “Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”The issue, tracked as CVE-2026-20182, received a max-severity rating of CVSS 10.0. The company said that the issue is configuration-independent, meaning vulnerable systems remain exposed regardless of deployment-specific settings.Cisco credited Stephen Fewer, Senior Principal Security Researcher, and Jonah Burgess, Senior Security Researcher, both of Rapid7, for discovering and reporting the bug.Active exploitation kicks patching into high gearCisco disclosed being aware of exploitation attempts in May, urging customers to upgrade to a fixed release immediately.Shortly after the disclosure, the flaw was added to the Cybersecurity and Infrastructure Security Agency’s (CISA) known exploited vulnerabilities catalog (KEV). “Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available,” it said.The US cybersecurity watchdog has given federal executive agencies until May 17th to patch the flaw.“Customers are advised to upgrade to an appropriate fixed software release,” Fewer and Burgess said in a blog post, citing fixed software releases that address the flaw in versions 20.9 through 26.1.1. “There are no workarounds that address this vulnerability.”Alongside software fixes, Cisco published operational guidance to help organizations identify potentially malicious control connections.The advisory instructed admins to review existing control peering relationships, using the “show control connections” command, and validate all connected peers, particularly those associated with SD-WAN Manager systems.Organizations that suspect compromise are being advised to contact Cisco Technical Assistance Center support and collect diagnostic information from affected devices.