Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

Thursday, May 14, 2026 at 04:02 PM UTC·Source: Cisco Talos

Updated: Thursday, May 14, 2026 at 05:00 PM UTC

Executive Summary

Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.

Analysis

Indicators of Compromise (1)

CVE (1)

CVE-2026-20182

NVD MITRE CVE

Source Attribution

Originally published by Cisco Talos on May 14, 2026.

Related Threats

MEDIUMMalware

Russian hackers turn Kazuar backdoor into modular P2P botnet

The Russian hacker group Secret Blizzard has developed its long-running Kazuar backdoor into a modular peer-to-peer (P2P) botnet designed for long-term persistence, stealth, and data collection. [...]

6h agoBleepingComputer

LOWMalware

CISA orders all federal agencies to patch exploited bug in Cisco SD-WAN systems by Sunday

Cisco released a patch for the vulnerability on Thursday, writing in an advisory that it could “allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.”

1d agoThe Record

CRITICALZero Day

Cisco warns of an actively exploited SD-WAN flaw with max severity

Cisco has disclosed a max-severity authentication bypass vulnerability affecting its Catalyst SD-WAN Controller and Catalyst SD-WAN Manager platforms, warning that the flaw has already been found to be exploited in the wild. The disclosure follows an earlier authentication bypass vulnerability that Cisco patched in February. In the latest advisory, the company said the new flaw was identified whil

CVE-2026-20182

1d agoCSO Online