- Cisco disclosed CVE-2026-20182, a CVSS 10.0 authentication bypass in Catalyst SD-WAN Controller — the sixth SD-WAN zero-day exploited in 2026.
- Threat actor UAT-8616 is exploiting the flaw to add rogue peers, insert SSH keys, and modify NETCONF configurations across enterprise SD-WAN fabrics.
- CISA gave federal agencies just 3 days to patch, and 15 Cisco SD-WAN flaws now sit on the Known Exploited Vulnerabilities catalog.
Enterprise network admins have another long weekend ahead. Cisco on Thursday disclosed CVE-2026-20182, a maximum-severity authentication bypass in Catalyst SD-WAN Controller and Manager — and it’s already being exploited in the wild. This is the sixth Cisco SD-WAN zero-day whose exploitation came to light in 2026, and the second linked to the same sophisticated threat actor.
The flaw exists in the peering authentication mechanism, which SecurityWeek reports is “not working properly,” per Cisco’s advisory. An unauthenticated, remote attacker can send crafted requests to bypass authentication entirely, log in as a high-privileged internal user, and manipulate NETCONF configurations across the SD-WAN fabric. CVSS 10.0 — the scale tops out there for a reason.
UAT-8616: The Sophisticated Operator Behind the Breach
Cisco Talos attributes the exploitation to UAT-8616, a threat group it describes as highly sophisticated. The actor previously exploited CVE-2026-20127, a related SD-WAN authentication bypass disclosed in February, and has been active since at least 2023.
Once inside, UAT-8616 adds SSH keys, modifies NETCONF configurations, and attempts to escalate to root privileges. The group’s infrastructure overlaps with Operational Relay Box networks — the same kind of intermediate proxy nodes that state-sponsored actors use to mask their origin. Talos has not attributed UAT-8616 to a specific country.
The vulnerability was discovered by Rapid7 during its analysis of CVE-2026-20127, which affects the same peering authentication component. Rapid7 reported it to Cisco on March 9. There are no workarounds.
FAQ
What does CVE-2026-20182 allow an attacker to do?
A remote, unauthenticated attacker can bypass authentication on Cisco Catalyst SD-WAN Controller and Manager, gain admin-level access, and manipulate network configurations across the SD-WAN fabric by registering rogue peer devices.
How many Cisco SD-WAN zero-days have been exploited in 2026?
Six. All six are on CISA’s Known Exploited Vulnerabilities catalog, which now lists 15 Cisco SD-WAN vulnerabilities total.
What should network admins do?
Patch immediately. CISA has given federal agencies a 3-day deadline. Restrict access to SD-WAN management and control-plane interfaces to trusted internal networks, and review authentication logs for unauthorized peering events.
[Editor’s note: This article was updated on May 17, 2026 to correct two errors. (1) The FAQ originally stated “Five” of the six exploited zero-days are on CISA’s Known Exploited Vulnerabilities catalog; all six are on the catalog. The “five” figure came from a SecurityWeek statement about the number discovered this year, not the number on KEV. (2) The phrase “not working properly” was attributed to SecurityWeek’s reporting but is actually Cisco’s own language from its security advisory; the text has been updated to clarify the source.]