Full Report
Cisco security advisory (AV26-471)
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Cisco Catalyst SD-WAN (Including Active Exploitation)
## CVE Details
- **CVE ID:** CVE-2026-20182 (Primary), CVE-2026-XXXXX (Multiple vulnerabilities covered under AV26-471)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication) / CWE-284 (Improper Access Control)
## Affected Systems
- **Products:** Cisco Catalyst SD-WAN (Controller and Manager)
- **Versions:**
- 20.9 and prior
- 20.10 and prior
- 20.11 and prior
- 20.12 and prior
- 20.13 and prior
- 20.14 and prior
- 20.15 and prior
- 26.1 and prior
- **Configurations:** Systems utilizing SD-WAN Controller and SD-WAN Manager software components.
## Vulnerability Description
The primary vulnerability (CVE-2026-20182) involves an authentication bypass in the Cisco Catalyst SD-WAN Controller. Due to insufficient validation of incoming requests, a remote, unauthenticated attacker could bypass authentication mechanisms and gain unauthorized access to the management interface. Additional vulnerabilities within the SD-WAN Manager include improper input validation and access control flaws that could allow for remote code execution (RCE) or administrative privilege escalation.
## Exploitation
- **Status:** **Exploited in the wild.** CVE-2026-20182 has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** High (Full access to network configuration and sensitive data)
- **Integrity:** High (Ability to modify network topology and security policies)
- **Availability:** High (Potential for complete network disruption)
## Remediation
### Patches
Cisco has released software updates to address these vulnerabilities. It is recommended to migrate to the following fixed releases (or later):
- For 20.x tracks: Upgrade to the latest deferred maintenance release (e.g., 20.13.2 / 20.15.1 or as specified by Cisco TAC).
- For 26.x tracks: Upgrade to version 26.1.1 or higher.
### Workarounds
- No effective workarounds exist for the authentication bypass other than restricting access to management interfaces.
- **Access Control Lists (ACLs):** Restrict access to the SD-WAN Manager and Controller interfaces to trusted internal IP addresses only.
## Detection
- **Indicators of Compromise:** Look for unusual administrative logins from unexpected IP addresses or local user creation within the SD-WAN Manager logs.
- **Detection methods and tools:**
- Monitor Audit Logs for unauthorized configuration changes.
- Use CISA’s KEV catalog search to cross-reference vulnerable assets.
- Cisco Talos provides updated SNORT rules and ClamAV signatures for detecting exploitation attempts.
## References
- **Vendor Advisory:** hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
- **Vendor Advisory:** hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-mltvnps2-JxpWm7R
- **CISA KEV:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20182
- **Cisco Security Portal:** hxxps[://]tools[.]cisco[.]com/security/center/publicationListing[.]x