Cisco Catalyst SD-WAN CVE-2026-20182 — UAT-8616 active, CISA Emergency Directive ED-26-03, 10+ companion-CVE clusters

If you did nothing this week: any Catalyst SD-WAN Manager or Controller with an internet-reachable management plane has been within UAT-8616's active exploitation window per Cisco Talos's 2026-05-14 timeline — with full fabric-takeover capability via a pre-authentication HTTP-header parsing bypass in the NETCONF gateway. The published kill chain is HTTP-header injection → authentication bypass → vManage administrative API → orchestrator-level configuration push → arbitrary device-config rewrite across every fabric member. Patches are available (vManage 20.13.4 / 20.12.6 / 20.9.7 / earlier branches per Cisco PSIRT); CISA issued Emergency Directive ED-26-03 on 2026-05-15 mandating identification, mitigation, and reporting for US federal civilian agencies with a 2026-05-17 (today) deadline (Cisco PSIRT; CISA ED-26-03; daily 2026-05-15).

What makes the SD-WAN picture operationally critical for Swiss / EU defenders even after the patches land is the approximately 10 additional intrusion clusters Talos and CISA jointly identified exploiting February-2026 Catalyst SD-WAN companion CVEs (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122 — patched in Q1 2026 but with public-PoC availability that drove a wave of secondary exploitation against organisations that lagged the original patch). The 10-cluster figure indicates the SD-WAN attack surface is being mined systematically by multiple unrelated operators, not just UAT-8616, so the hunt is not bounded to a single named cluster's TTPs: review vmanage_event and NETCONF-gateway logs for any 401/403→200 transitions on /dataservice/* endpoints from external source IPs across the entire Q1-2026 → present window, and assume any unpatched device has been visited.