Emerging ThreatsMalware & Ransomware

Cisco SD-WAN Flaw Exploited in Zero-Day Attacks

Analyst 207||Source: BleepingComputer
Network device on a rack in a data center with a neutral background.
"This vulnerability exists because the peering authentication mechanism in an affected system is not working properly," Cisco warned — a terse line that captures a high-risk failure in the authentication logic of its Catalyst SD‑WAN product line, and a vulnerability that security teams must now treat as actively exploited.

CVE-2026-20182: how the flaw works and what it can do

CVE-2026-20182 is tracked as a maximum-severity 10.0 authentication bypass affecting Cisco Catalyst SD‑WAN Controller and Cisco Catalyst SD‑WAN Manager in both on‑prem and SD‑WAN Cloud deployments. According to Cisco’s advisory, the vulnerability exists because a peering authentication mechanism "is not working properly," and an attacker can exploit the issue "by sending crafted requests to the affected system."

A successful exploit can allow an attacker to log in to an affected SD‑WAN Controller as an internal, high‑privileged, non‑root user account. From that position, the attacker could access NETCONF and manipulate network configuration across the SD‑WAN fabric — including adding or registering peers that appear legitimate to the environment.

Indicators of compromise administrators should hunt for

Cisco published specific indicators of compromise (IOCs) to help administrators determine whether a system has been targeted. Teams are urged to review /var/log/auth.log for entries showing "Accepted publickey for vmanage-admin" originating from unknown IP addresses. Cisco gave an example log line format:

2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY]

Administrators should compare IP addresses seen in logs with the configured System IPs listed in the Cisco Catalyst SD‑WAN Manager web UI (WebUI > Devices > System IP). If an unknown IP address successfully authenticated, Cisco’s guidance is to consider the device compromised and open a Cisco TAC case.

Teams should also inspect SD‑WAN Controller logs for unauthorized peering events. Cisco supplied an example event administrators should watch for, showing a peer registration with a public IP and port that may indicate a rogue device attempting to join the fabric:

Jul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanage peer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005

Exploit activity, discovery, and links to prior SD‑WAN attacks

Cisco said it detected threat actors exploiting CVE-2026-20182 in May but did not provide technical details about the exploitation method. The flaw was discovered by Rapid7 while the researcher was investigating a different SD‑WAN controller vulnerability, CVE-2026-20127, which Cisco fixed in February.

That earlier vulnerability, CVE-2026-20127, had itself been exploited in zero‑day attacks by a threat actor tracked as "UAT-8616" since 2023 to create rogue peers inside targeted organizations. Cisco’s advisory links the new finding to this line of investigation rather than distancing it from previous active attacks.

Mitigation, patches, and federal action

Cisco strongly recommends upgrading to a fixed software release, noting that this is the only way to fully remediate CVE-2026-20182. The company also said there are no workarounds that fully mitigate the issue.

As interim measures, Cisco advises restricting access to SD‑WAN management and control‑plane interfaces to trusted internal networks or to authorized IP addresses only, and closely reviewing authentication logs for suspicious login activity. Where compromise is suspected, Cisco instructs administrators to open a Cisco TAC case.

The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20182 to the Known Exploited Vulnerabilities Catalog and ordered federal agencies to patch affected devices by May 17, 2026.

What this means for network operators, federal agencies, and security teams

  • Network operators and security teams: Review /var/log/auth.log and controller peering logs now for the specific "Accepted publickey for vmanage-admin" entries and unauthorized peering events; compare IPs to the WebUI > Devices > System IP list and treat unknown successful authentications as compromises.
  • Federal agencies: CISA’s listing creates a compliance deadline — affected federal systems must be patched by May 17, 2026 — and agencies will need to prioritize upgrades to fixed software releases because Cisco’s advisory states there is no complete workaround.
  • Procurement and operations leaders: Systems that expose SD‑WAN management or control‑plane interfaces to the internet should be reconfigured to restrict access to trusted internal networks or authorized IP ranges until upgrades are applied.

Cisco’s notification closes a short but urgent loop: a high‑severity authentication flaw, active exploitation detected in May, and a hard federal patch deadline. For organizations that run Cisco Catalyst SD‑WAN Controller or Manager in any deployment model, the path is clear — hunt the logs Cisco has identified, assume an unknown successful peering or vmanage-admin authentication is a compromise, and move to the fixed software release as the definitive remediation.

Original story

Authentication BypassCiscoEmerging ThreatsNetwork SecuritySupply ChainZero-DaySD-WANCVE-2026-20182
Related Intelligence

Continue Reading

Technicians surround a prominent server terminal with a blurred screen in a brightly-lit Japanese data center.

KDDI Data Breach Compromises 14.2 Million Email Logins at Six ISPs

A massive data breach at KDDI Corporation has put 14.2 million email logins at risk, compromising sensitive information for customers across six Japanese internet service providers. The breach, discovered on June 17, exploited a vulnerability in a third-party software component used on one of KDDI's email systems.

Analyst 207
Person sitting in quiet room, holding smartphone with concern, surrounded by papers and laptop.

Russia Targets Messaging Credentials with Fake Support Texts

Beware of fake support texts that could compromise your personal data and sensitive information! A joint investigation by the Security Service of Ukraine and the FBI uncovered a systematic campaign to steal messaging platform credentials from government officials, military personnel, and activists worldwide.

Analyst 207
Developer workstation with laptop open to GitHub repository, surrounded by coding tools and notes on cluttered desk.

GitHub Repos Used to Deploy Malware via AI Coding Tools

Imagine a GitHub repository that looks perfectly safe, yet can secretly deploy malware on a developer's device - all without triggering any red flags. Researchers have demonstrated just how easily this can happen, using an AI coding agent to run a malicious payload hidden in a seemingly clean project.

Analyst 207
Person sits in quiet room with smartphone, papers, and blurred laptop screen, conveying cautious atmosphere.

FBI Warns of Russian Hackers Targeting Signal Backup Keys

Stay vigilant, as Russian hackers are now targeting Signal backup keys in an evolved phishing campaign, attempting to gain access to your historical message backups by tricking you into revealing these sensitive keys. Be cautious of messages masquerading as automated support accounts, as they may be part of this sinister plot.

Analyst 207