Cybersecurity Threat Advisory: Cisco Catalyst SD-WAN zero day vulnerability

An authentication bypass zero-day vulnerability, tracked as CVE-2026-20182 with a maximum CVSS score of 10.0, has been identified in Cisco Catalyst SD-WAN Controller and Manager. The vulnerability allows unauthenticated attackers to gain the highest level of administrative access to affected systems without valid credentials and is currently under active exploitation by UAT-8616, a persistent and sophisticated threat group previously linked to multiple zero-day campaigns targeting Cisco network edge technologies. Continue reading this Cybersecurity Threat Advisory to learn how to minimize your risk and protect your environment.

What is the threat?

This vulnerability is a maximum severity authentication bypass flaw in the Cisco Catalyst SD-WAN Controller and Manager that allows an attacker to present themselves as a trusted network router and obtain the highest level of administrative access without valid credentials or prior knowledge of the target environment.

In affected versions, improper validation of authentication logic in the control plane service allows unauthorized requests to access protected resources. An attacker with network access to a vulnerable instance could potentially:

• Bypass authentication controls and gain full administrative access to the SD-WAN Controller or Manager interface.
• Reroute network traffic, intercept communications, or push malicious configurations across the entire SD-WAN fabric.
• Achieve influence over every branch, data center, and cloud edge connected to the managed overlay network.
• Disrupt network connectivity across the entire organization from a single point of compromise.

Why is it noteworthy?

This vulnerability is particularly critical because the SD-WAN Controller manages routing and policy across the entire overlay network. If an attacker compromises it, they gain broad control and can impact the entire organization.

Several factors make this vulnerability especially severe. CVE-2026-20182 has a maximum CVSS score of 10.0, which highlights both the lack of authentication requirements and the potential for complete system compromise. Attackers do not need credentials or prior knowledge of the environment, which makes exploitation easy and accessible.

Active exploitation is already underway. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 14, 2026—the same day Cisco disclosed and patched it. This timing confirms that threat actors were already using it in real-world attacks.

The threat actor linked to this activity, UAT-8616, is highly capable and persistent. This group has a track record of exploiting Cisco zero-day vulnerabilities, sometimes maintaining campaigns for years before detection.

Recent trends add further concern. Over a three-month period, CISA added seven Cisco SD-WAN and firewall vulnerabilities to the KEV catalog. This pattern points to sustained and targeted attacks against Cisco edge technologies.

Organizations that face the highest risk include those running unpatched versions of the Cisco Catalyst SD-WAN Controller or Manager, regardless of deployment type. This includes on-premises, cloud, and FedRAMP environments. Risk also increases when organizations expose SD-WAN Controller or Manager interfaces to internet-accessible networks, which gives attackers a direct entry point. In addition, organizations that rely on Cisco SD-WAN to manage distributed infrastructure across branches, data centers, and cloud environments face greater impact.

Potential impact includes unauthorized administrative control of the entire SD-WAN overlay network, interception or manipulation of routed traffic, mass deployment of malicious configurations, service disruption across the organization, and a potential pivot point for further lateral movement into connected infrastructure.

What are the recommendations?