Cisco Catalyst SD-WAN CVE-2026-20182 — pre-auth authentication bypass under active exploitation; CISA KEV-listed

If you did nothing this week: Internet-exposed SD-WAN Manager instances without the patched build applied are high-value initial-access targets. The pre-auth authentication bypass in Cisco Catalyst SD-WAN Manager and Controller (CVSS 10.0) is under active exploitation. CISA has added CVE-2026-20182 to the Known Exploited Vulnerabilities catalogue.

The vulnerability arises from improper validation of API request parameters, allowing an unauthenticated remote attacker to bypass authentication and execute administrative functions, including creating admin-level accounts and modifying device configuration. Talos confirmed exploitation in the wild in its 2026-05-14 advisory, documenting a cluster tracked as UAT-8616 among others. Talos documents 10 exploitation clusters targeting older CVE-2026-20133 / CVE-2026-20128 / CVE-2026-20122 vulnerabilities in the same product line — active exploitation of CVE-2026-20182 specifically is confirmed by Cisco PSIRT. Patched builds per Cisco PSIRT: 20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.18.2.2, 26.1.1.1; older releases require upgrade.