Cisco has issued a critical alert regarding a high-severity security vulnerability, CVE-2026-20182, within its Catalyst SD-WAN Manager software. This flaw has been observed to be under active exploitation, posing a significant risk to organizations relying on Cisco’s software-defined networking solutions. The vulnerability, which affects multiple deployment models including on-premises and cloud-based options, could allow unauthorized access and command execution.
The vulnerability, officially designated as CVE-2026-20182, carries a substantial CVSS score of 7.8 out of a possible 10.0. It impacts a range of Cisco Catalyst SD-WAN Manager deployments, specifically noted for affecting On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). The exploit pathway involves an authenticated, local attacker gaining the ability to execute arbitrary commands with root privileges.
Cisco Catalyst SD-WAN Manager Vulnerability Exploited
According to Cisco’s advisory, the exploitable flaw resides within the Command Line Interface (CLI) of Cisco Catalyst SD-WAN Manager. The vulnerability stems from inadequate validation of user-supplied input. An attacker who can upload a specifically crafted file to the affected system can then leverage this weakness. This technique enables command injection attacks, ultimately allowing the attacker to escalate their privileges to that of a root user, gaining extensive control over the system.
However, exploiting CVE-2026-20182 is not a simple undertaking; it requires the attacker to possess “netadmin” privileges on the target system. This prerequisite means attackers must either have valid credentials on the system or have successfully exploited other vulnerabilities. Cisco explicitly mentions CVE-2026-20182 and CVE-2026-20127 as potential pre-exploitation vectors. These related vulnerabilities, both involving authentication bypass and detailed previously, could grant the necessary initial access for the CVE-2026-20182 exploit to be chained.
Exploitation Details and Related Vulnerabilities
The severity of CVE-2026-20182 is amplified by the fact that related authentication bypass vulnerabilities, such as CVE-2026-20182 and CVE-2026-20127, have already seen active exploitation in the wild as zero-days. Cisco notes that a threat actor cluster identified as UAT-8616 has been linked to the abuse of CVE-2026-20127 since as early as 2023, indicating a persistent threat landscape targeting Cisco SD-WAN components.
Cisco reported observing limited instances where the exploitation of CVE-2026-20182 led to unauthorized configuration changes being pushed to edge devices. The discovery of this new vulnerability is credited to Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan. The identity of the threat actors behind the latest exploitation efforts for CVE-2026-20182 remains unknown.
Mitigation and Indicators of Compromise
As of the latest advisory, there are no specific patches or direct mitigations available for CVE-2026-20182 itself. However, Cisco strongly recommends that customers upgrade their Cisco SD-WAN software to incorporate the fixes that have already been released for the preceding vulnerabilities, specifically CVE-2026-20182, which was addressed on May 14, 2026. Ensuring systems are patched against these related flaws is crucial for bolstering defenses.
Cisco has also highlighted that internet-exposed systems are at an elevated risk of being targeted. To aid in detection, potential indicators of compromise (IoCs) have been provided. Organizations are advised to scrutinize the file “/var/log/scripts.log” for suspicious log entries. Examples of such entries include those detailing the upload of tenant lists or serial number files using specific script paths, potentially indicating unauthorized activity.
This latest vulnerability is the seventh significant flaw affecting Cisco SD-WAN to be flagged for active exploitation in the current year. This follows previously reported issues including CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, and CVE-2022-20775. The ongoing stream of exploited vulnerabilities underscores the persistent attention Cisco’s networking infrastructure is receiving from malicious actors.
The disclosure of CVE-2026-20182 emerged just days after Cisco addressed another high-severity vulnerability in its Unified Communications Manager (CVE-2026-20230). While a proof-of-concept exploit for that flaw is publicly available, Cisco stated there was no evidence of it being actively exploited at the time of their advisory. Organizations using Cisco SD-WAN Manager should prioritize applying available patches for the linked vulnerabilities and remain vigilant for signs of compromise while awaiting a specific fix for CVE-2026-20182.