Attackers have again targeted a widely used network infrastructure component, exploiting a critical zero-day vulnerability in Cisco Catalyst SD-WAN Controller and Manager. The vulnerability, which allows for authentication bypass, has a maximum severity score, enabling attackers to gain administrative access to the network. This marks a significant concern for organizations relying on Cisco’s SD-WAN solutions.
Cisco confirmed it is aware of limited attacks exploiting this vulnerability. The threat actors are associated with previously identified malicious activity targeting Cisco firewalls and SD-WAN systems. The Cybersecurity and Infrastructure Security Agency (CISA) has already added the defect to its list of known exploited vulnerabilities, signaling the urgency for remediation.
Critical Zero-Day Vulnerability in Cisco SD-WAN
The vulnerability, identified as CVE-2026-20182, carries a CVSS score of 10. Experts describe its impact as equivalent to a “master key,” allowing an attacker to impersonate a trusted network router and gain the highest level of administrative privileges without proper validation. This capability presents a severe security risk by providing a single point of entry for extensive network compromise.
Rapid7 discovered and reported the vulnerability to Cisco on March 9. Cisco acknowledged awareness of exploitation in early April and subsequently released a patch on Thursday. CISA’s swift action in adding the vulnerability to its catalog underscores its immediate threat and the widespread nature of potential attacks.
Exploitation and Threat Actors
Cisco Talos, the company’s threat intelligence division, has attributed the recent zero-day attacks to a group tracked as UAT-8616. This same group was previously linked to exploiting other zero-day vulnerabilities in Cisco’s network edge software. The current exploitation is described as ongoing, further increasing the risk for unpatched systems.
The exploitation of this new zero-day requires no credentials or prior knowledge of the target environment, according to Rapid7 researchers. This ease of exploitation makes it a particularly potent weapon for malicious actors. Cisco has stated that all deployment types, including on-premises and cloud environments, are affected.
Previous Exploitation and Impact
This incident is part of a larger trend of attackers exploiting vulnerabilities in Cisco’s SD-WAN and firewall products. CISA has added seven vulnerabilities affecting these systems to its catalog of known exploited vulnerabilities in less than three months. In one instance, researchers found that a campaign exploiting previous zero-days in Cisco edge technology had been underway for at least three years before discovery.
The consequences of a compromised Cisco SD-WAN Controller can be devastating. A single compromised controller can provide attackers with control over traffic routing, communication interception, malicious configuration deployment, and even widespread network disruption across an entire organization’s connected branches, data centers, and cloud edges. This highlights how architectural efficiencies can also become significant leverage points for attackers.
Recommendations and Next Steps
Cisco strongly advises customers to apply the available fixed software releases immediately and follow the guidance provided in their advisories and Talos blog posts. The company is also working with security researchers and customers to monitor for and address any further exploitation.
Organizations using Cisco Catalyst SD-WAN products should prioritize updating their systems to the latest patched versions. The ongoing nature of the attacks and the critical severity of this zero-day vulnerability mean that prompt action is essential to mitigate potential security breaches. Further advisories and threat intelligence updates from Cisco and CISA will be crucial for staying ahead of evolving threats.