"Cisco admins face emergency patch duty after Switchzilla disclosed a max-severity make-me-admin bug affecting Catalyst SD-WAN Controller and Manager. Switchzilla dropped an advisory for CVE-2026-20182 (10.0) on Thursday, saying that both components, formerly known as vSmart and vManage, were vulnerable in all deployment types, and that fixes were available."
"The bug allows unauthenticated remote attackers to bypass authentication and gain admin privileges on an affected system. According to Rapid7, whose researchers Stephen Fewer and Jonah Burgess found the vulnerability, attackers exploiting CVE-2026-20182 could then start issuing arbitrary NETCONF commands. It means they could steal data, intercept traffic, manipulate an organization's firewall rules, or just bring the network down, opening up opportunities for attackers of all stripes: state-backed, financially motivated, hacktivists - you name it."
"Offering a high-level overview of the vulnerability, Cisco said: "This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. "A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.""
"Cisco confirmed that, in May 2026, it became aware that CVE-2026-20182 had been exploited as a zero-day, although it did not attribute the activity. The Cybersecurity and Infrastructure Security Agency (CISA) also added CVE-2026-20182 to its Known Exploited Vulnerabilities (KEV) catalog, which is reserved for the security flaws that are both actively being exploited and threaten feder"
CVE-2026-20182 affects Cisco Catalyst SD-WAN Controller and Manager components, including all deployment types. The vulnerability enables unauthenticated remote attackers to bypass authentication and obtain admin privileges on an affected system. Successful exploitation allows attackers to log in as an internal, high-privileged, non-root user account and access NETCONF. Through NETCONF, attackers can manipulate network configuration for the SD-WAN fabric. Potential impacts include data theft, traffic interception, firewall rule manipulation, and network disruption. Cisco reported awareness of exploitation as a zero-day in May 2026. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, indicating active exploitation and significant risk.
#cve-2026-20182 #cisco-catalyst-sd-wan #netconf #authentication-bypass #known-exploited-vulnerabilities-kev
Read at theregister
Unable to calculate read time
Collection
[
|
...
]