🔴 CVE-2026-20182

Critical authentication bypass in Cisco Catalyst SD-WAN Manager allows unauthenticated remote attackers to gain administrative privileges through crafted requests. This vulnerability is actively being exploited in the wild and is listed in CISA's KEV catalog.

← Back to Overview
HIGH_RISK
Risk Level
10.0
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-05-14

Added to CISA KEV: 2026-05-14 0 DAY BETWEEN CVE AND KEV

🌐 Internet Exposure (Shodan): 107 internet-facing instances →
Query: http.title:"Cisco vManage"   View on Shodan ↗
This searches for the web interface title of Cisco vManage, which is the management interface for Cisco Catalyst SD-WAN Manager. Some instances may use custom titles or different branding that could reduce detection coverage.
Checked: 2026-06-04

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-05-14)

Regarding CVE-2026-20182, here's what is known about its exploitation:

  • Internet-Facing Applications or Services: The vulnerability affects Cisco Catalyst SD-WAN Manager (formerly vSmart) [4]. While specific details on whether it's *exclusively* internet-facing are not detailed, vulnerabilities in network management systems are often targeted when exposed to the internet.
  • Evidence of Active Exploitation in the Wild: There are conflicting reports. One source indicates that no active exploitation has been reported [1]. However, CISA's Known Exploited Vulnerabilities (KEV) catalog is based on evidence of active exploitation [3]. The presence of CVE-2026-20182 in the KEV catalog implies that active exploitation has been observed [2].
  • Attack Vectors and Exploitation Methods: The vulnerability is described as a critical authentication bypass [4]. This means it allows unauthenticated attackers to compromise the confidentiality, integrity, and availability of Cisco Catalyst SD-WAN Manager [1]. The attack complexity is noted as low [1].
  • Used in Targeted Attacks: While not explicitly stated that CVE-2026-20182 has been used in targeted attacks, the CISA KEV catalog is a list of vulnerabilities that have been exploited in the wild, and these can include targeted campaigns [2]. Public details can accelerate exploit writing, and sometimes exploitation precedes broad public disclosure in targeted campaigns [5].
  • CISA Known Exploited Vulnerabilities (KEV) Status: CVE-2026-20182 is listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog [2]. CISA maintains this catalog to highlight vulnerabilities that have been actively exploited in the wild, and organizations are urged to prioritize remediation of these vulnerabilities [3].
  • Technical Details about Internet Exploitability: The vulnerability is an authentication bypass that allows unauthenticated attackers to gain unauthorized access, impacting confidentiality, integrity, and availability [1]. The low attack complexity suggests that it is relatively easy to exploit, especially if the affected system is accessible from the internet.

Sources

  1. CVE-2026-20182 | Cisco Cisco Catalyst SD-WAN Manager | CVETodo

    Why This CVE Matters CVE-2026-20182 enables unauthenticated attackers to compromise confidentiality and integrity and availability of Cisco Cisco Catalyst SD-WAN Manager. While no active exploitation has been reported, the vulnerability's low attack complexity and critical impact make it a high-risk…

  2. Known Exploited Vulnerabilities Catalog - CISA

    For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catal…

  3. CISA Adds Seven Known Exploited Vulnerabilities to Catalog

    CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  4. CVE-2026-20182: Critical authentication bypass in Cisco ... - Rapid7

    While researching a critical authentication bypass vulnerability, CVE-2026-20127, which was exploited in-the-wild, Rapid7 Labs discovered a new authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller (formerly known as vSmart), CVE-2026-20182.

  5. CVE & Vulnerability Management in 2026: From... | isMalicious Blog

    Public details can accelerate exploit writing. Sometimes exploitation precedes broad public disclosure in targeted campaigns—another reason threat intelligence matters.Tier 0 — Emergency: KEV-listed CVEs affecting internet-facing assets, or flaws with public weaponized exploits targeting your techno…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed