Overview
- CISA added CVE-2026-20182 to its Known Exploited Vulnerabilities catalog on Thursday and set a May 17 patch deadline for federal agencies under BOD 22-01.
- Cisco said the bug in Catalyst SD‑WAN Controller and Manager lets an unauthenticated attacker gain a high‑privilege account and use NETCONF to alter network configuration across the SD‑WAN fabric.
- Cisco observed limited exploitation in May and attributed the activity with high confidence to threat cluster UAT‑8616, warning that internet‑exposed controllers face greater risk from rogue peer registrations.
- Rapid7, which discovered the issue in the vdaemon service running over DTLS on UDP 12346, flagged IOCs such as auth logs showing “Accepted publickey for vmanage-admin” from unknown IPs and unexpected peering events.
- Cisco urged immediate upgrades because no full workaround exists, while Cisco Talos reported at least 10 other clusters abusing related SD‑WAN flaws since March to deploy web shells, miners, command‑and‑control tools, and credential stealers.