Critical authentication bypass in Cisco Catalyst SD-WAN Manager allows unauthenticated remote attackers to gain administrative privileges through crafted requests. This vulnerability is actively being exploited in the wild and is listed in CISA's KEV catalog.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-05-14
Added to CISA KEV: 2026-05-14 0 DAY BETWEEN CVE AND KEV
Why This CVE Matters CVE-2026-20182 enables unauthenticated attackers to compromise confidentiality and integrity and availability of Cisco Cisco Catalyst SD-WAN Manager. While no active exploitation has been reported, the vulnerability's low attack complexity and critical impact make it a high-risk issue if left unpatched.
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.How to use the KEV ... ... Android Kernel contains a use-after-free vulnerability in binder.c that allows for privilege escalation from an application to the Linux Kernel. This vulnerability was observed chained with CVE-2020-0041 and CVE-2020-0069 under exploit chain "AbstractEmu." Apply updates per vendor instructions. ... EXTERNAL Known Exploited Vulnerabilities Catalog KEV Catalog Return to top Topics Spotlight Resources & Tools News & Events Careers About Cybersecurity & Infrastructure Security Agency
CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
While researching a critical authentication bypass vulnerability, CVE-2026-20127, which was exploited in-the-wild, Rapid7 Labs discovered a new authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller (formerly known as vSmart), CVE-2026-20182.
Public details can accelerate exploit writing. Sometimes exploitation precedes broad public disclosure in targeted campaigns—another reason threat intelligence matters.Tier 0 — Emergency: KEV-listed CVEs affecting internet-facing assets, or flaws with public weaponized exploits targeting your technology stack. Tier 1 — High: Critical or high CVSS issues on sensitive systems where exploitation is plausible and compensating controls are weak. Tier 2 — Planned: Medium risk with available patches; schedule inside normal maintenance windows with testing.