Cisco has confirmed that a critical vulnerability is being exploited in active attacks at Catalyst SD-WAN Controller, registered as CVE-2026-20182 (CVSS 10.0) which allows to skip the matching authentication (peering) and to achieve administrative access to affected devices. According to Cisco's official notice, the problem is that the authentication mechanism between peers "does not work properly," so an attacker can send manipulated requests to register as a legitimate pair and obtain an internal account with high privileges that allows access to NETCONF and manipulation of the SD-WAN fabric configuration. More technical details and Cisco's notice are available on the company's own page: Cisco CVE-2026-20182 advisory.
The discovery was attributed by Cisco to analytical work that also linked research to a previous vulnerability (CVE-2026-20127) found by Rapid7; Rapid7 has published an analysis that contextualizes how bypass was detected and why the failure allows to create false "peers" within the SD-WAN mesh: Rapid7: report and context. CISA has included vulnerability in its Known Exploited Vulnerabilities Catalog and has given immediate patch instructions for federal agencies, which highlights the gravity and potential operational impact: CISA KEV catalog.
The attack vector is especially dangerous because, by adding a malicious peer, the actor can set up encrypted tunnels that seem legitimate within SD-WAN and announce routes under its control. With NETCONF available, an intruder can change routing policies, redirect traffic, open side access to data centres or clouds and persist in infrastructure without direct root access. Although the account obtained by exploitation is "no-root," its internal privileges allow alterations with impact on the availability, confidentiality and integrity of the corporate network.
Cisco has published commitment indicators (IOCs) and tactical recommendations: review authentication records (e.g. / var / log / auth.log) on Internet exposed drivers looking for public login for the manager's administrative account, and compare IP addresses with the "IP system" configured in the SD-WAN IU to detect unauthorized peers. It also recommends reviewing the driver's peering logs by looking for peer registration events that do not correspond to the known topology. Since Cisco claims that there are no complete alternative mitigation, the only definitive remedy is to apply the corrected versions published by Cisco.
If you manage Catalyst SD-WAN, the first action should be to assume the possibility of commitment if the computer was accessible from the Internet and any unknown IP appears in the authentication or peering logs. In this case, Cisco advises to open a case with TAC; from the practice of incident response, in addition to contact support, it is appropriate to isolate the affected controller from the network, take forensic overturn of logs and configurations, rotate keys and certificates used for matching and management, and consider the complete reconstruction of the device with patched software if there is evidence of unauthorized access.
In parallel with the patch, reduce the attack surface: restrict access to management interfaces and control plane to internal trust networks or authorized IP addresses, implement access control lists at edge level, limit the scope of NETCONF access and implement least-privileged policies in the management of SD-WAN. Implement continuous detection for unexpected changes in the configuration and check BGP / telemetric routes and ads to detect injections of malicious routes. These measures help to mitigate the risk while the patch is deployed, but do not replace it.
In terms of governance and continuity, this episode requires a review of confidence practices between devices in SD-WAN architectures: use second checks on the validity of certificates and keys, keep inventory and white list of System IPs and approved peers, and run regular audits of control-plane telemetry. For organizations with regulatory compliance or support critical services, support actions with forensic records and notify stakeholders and regulators as appropriate.
The reported operating speed and the entry into the CISA catalogue involve a real and time-bound risk window: Plot immediately, check logs and make commitments when there are authentication records from unrecognized PIs. If you need specific technical guidance or support with an ongoing incident, document log dates and samples before making changes, and consider climbing professional response services or Cisco's own TAC to preserve evidence and accelerate containment.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...