The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly disclosed Cisco vulnerability, tracked as CVE-2026-20182, to its Known Exploited Vulnerabilities (KEV) catalog after confirming that the flaw is being actively exploited in real-world attacks. The vulnerability affects Cisco Catalyst SD-WAN Controller and Manager products and carries the maximum CVSS severity score of 10.0.
According to Cisco’s advisory, the flaw exists due to a failure in the peering authentication mechanism used by affected SD-WAN systems. Attackers can exploit the vulnerability by sending specially crafted requests that bypass authentication protections, allowing unauthorized remote access to high-privileged internal accounts. Once compromised, attackers can access NETCONF services and manipulate network configurations across the SD-WAN infrastructure.
Cisco stated that it detected active exploitation attempts in May 2026 but has not publicly disclosed details about the attackers or specific targets. However, security researchers revealed that the vulnerability is linked to ongoing campaigns involving a sophisticated threat actor tracked as UAT-8616, which has reportedly targeted Cisco SD-WAN infrastructure since at least 2023.
Researchers noted that the newly disclosed CVE-2026-20182 resembles an earlier critical Cisco SD-WAN flaw, CVE-2026-20127, which was also actively exploited earlier this year. Security experts warned that attackers have been chaining multiple Cisco vulnerabilities together to gain deeper access into enterprise networks, escalate privileges, inject SSH keys, manipulate configurations, and erase forensic evidence from compromised systems.
Cisco has already released software updates addressing the vulnerability and urged customers to apply patches immediately, stating that there are currently no complete workarounds available. The company also recommended restricting SD-WAN management access to trusted networks, monitoring authentication logs for suspicious activity, and reviewing peering events for signs of rogue device registrations.
CISA has directed Federal Civilian Executive Branch agencies to remediate the vulnerability by May 17, 2026, under Emergency Directive 26-03. The agency warned that the flaw poses a significant risk because successful exploitation could allow attackers to alter network traffic flows, compromise sensitive infrastructure, and establish persistence within enterprise environments.
Cybersecurity experts believe the incident highlights the growing focus of threat actors on networking infrastructure and enterprise edge devices. As organizations increasingly rely on SD-WAN technologies to manage distributed networks and cloud connectivity, vulnerabilities affecting centralized network controllers are becoming highly attractive targets for advanced attackers and cybercriminal groups.
 has added a newly disclosed Cisco vulnerability, tracked as CVE-2026...){kind=link}