AL26-012 – Critical vulnerability affecting Cisco Catalyst SD-WAN – CVE-2026-20182

Number: AL26-012
Date: May 15, 2026

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security (“Cyber Centre”) is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

The Canadian Centre for Cyber Security (Cyber Centre) is aware of active exploitation^{1Footnote 2} of Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) devices ^{Footnote 3}. In response to the Cisco security advisory released on May 14, 2026^{Footnote 4}, the Cyber Centre issued AV26-471^{Footnote 5} on May 14, 2026.

Tracked as CVE-2026-20182 ^{Footnote 6}, this vulnerability is a critical Improper authentication vulnerability (CWE-287)^{Footnote 7} affecting the peering authentication process of Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). It could allow an unauthenticated, remote attacker to bypass authentication, elevate privileges, and obtain administrative privileges on affected systems.

Cisco Catalyst SD-WAN Controller systems accessible from the internet, particularly those with exposed network ports, are at risk of exposure to compromise.

This vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, regardless of device configuration. The vulnerability affects all deployment types, including:

• On-Prem Deployment
• Cisco SD-WAN Cloud-Pro
• Cisco SD-WAN Cloud – Cisco Managed
• Cisco SD-WAN for Government – FedRAMP Environment

The Cyber Centre is aware of incidents involving CVE-2026-20182; with reported attempts of SSH keys being added, NETCONF configurations being modified and escalation to root privileges. This allowed multiple follow-up actions including administrative access, persistence and long-term access to SD-WAN networks.

Cisco has also noted the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 previously reported in February 2026 ^{Footnote 8}. The Cyber Centre released AL26-004 ^{Footnote 9} at that time highlighting the issue.

Suggested actions

The Cyber Centre recommends that organizations upgrade affected Cisco Catalyst SD-WAN instances to a fixed version:

Cisco has also addressed this vulnerability in Cisco SD-WAN Cloud (Cisco Managed) Release 20.15.506, which is cloud based. No user action is required. Customers can determine the current remediation status or software version by using the Help function in the service GUI^{Footnote 4}.

The Cyber Centre also recommends organizations to:

• Review the Cisco advisory^{Footnote 4} and the Talos Intelligence article^{Footnote 1} to identify if indicators of compromise are present on their devices.
• Cisco states to preserve possible indicators of compromise, customers should issue the request admin-tech command from each of the control components in the SD-WAN deployment before upgrading^{Footnote 4Footnote 10}.
• Collect artifacts, including virtual snapshots and logs from SD-WAN technology.
• Fully patch SD-WAN technology including those that are affected by CVE-2026-20182.
• Implement recommendations from the Cisco SD-WAN hardening guide^{Footnote 11}.

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions with an emphasis on the following topics^{Footnote 12}.

• Consolidating, monitoring, and defending Internet gateways
• Patch operating systems and applications
• Harden operating systems and applications
• Isolate web-facing applications

Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal or email contact@cyber.gc.ca.

References