Overview
- CISA added CVE-2026-20182 to its Known Exploited Vulnerabilities catalog and set a May 17 deadline for federal agencies to remediate it.
- The flaw is an authentication bypass in Cisco Catalyst SD‑WAN Controller and Manager that lets an unauthenticated user gain admin access and change network settings via the NETCONF management service.
- Cisco said its PSIRT observed limited attacks and urged immediate upgrades, noting that internet‑reachable controllers with exposed ports face higher risk.
- Rapid7, which discovered the issue, found the bug in the vdaemon service over DTLS on UDP 12346 and showed how an attacker can plant a public key and then access NETCONF over SSH on port 830 to run commands.
- The weakness resembles an earlier critical bug, CVE-2026-20127, reported as exploited since 2023, highlighting persistent targeting of SD‑WAN control‑plane components.