Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

Attackers exploit critical flaw in Cisco Catalyst SD-WAN Controller

Researchers discovered the authentication bypass vulnerability while investigating a prior issue in the same service.

Published May 15, 2026
David Jones's headshot
Reporter
The Cisco office at Santana Row Shopping Mall in San Jose California.
A Cisco office in San Jose, California on April 11, 2025. Researchers warn that hackers are targeting a critical vulnerability in Cisco Catalyst SD-WAN Controller. Getty Images

A critical vulnerability in Cisco Catalyst SD-WAN Controller is facing active exploitation almost immediately after security researchers publicly disclosed the flaw. 

The vulnerability, tracked as CVE-2026-20182, is an authentication bypass vulnerability, which has a severity score of 10, which is considered the highest potential rating. The flaw could allow an attacker to circumvent authentication procedures and gain administrative privileges on an affected server. 

Cisco on Thursday released an advisory for the newly discovered vulnerability and issued security updates to address the flaw, and the Cybersecurity and Infrastructure Security Agency added the CVE to its Known Exploited Vulnerabilities catalog. 

Cisco Talos, the threat intelligence arm of Cisco, said the current exploitation activity thus far has been limited and they are clustering the activity to an actor tracked as UAT-8616. They warned the attacker had been involved in exploitation of another recently disclosed vulnerability, which is designated as CVE-2026-20127.

Researchers at Rapid7 discovered the latest vulnerability in Cisco Catalyst SD-WAN Controller while investigating CVE-2026-20127, which was being exploited by the same hackers. This latest vulnerability affects the “vdaemon” service over DTLS, which Rapid7 said is the same service that contained the earlier flaw. 

Rapid7 cautioned, however, that the newly discovered vulnerability is not a patch bypass of CVE-2026-20127, but a different issue that is located in the same part of the daemon networking stack.

 

Filed Under: Vulnerability, Threats

Editors' picks

Company Announcements

View all | Post a press release
Former Okta President of Auth0, Shiven Ramji, to Join Cellebrite as President, Products and Te…
From Cellebrite
May 01, 2026
360 Privacy Expands Executive Team to Grow Digital Exposure Reduction
From 360 Privacy
April 29, 2026
360 Privacy logo
The Pitstop Releases “The AI Agent Liability Gap” White Paper on Security, Insurance, and Acco…
From thepitstop.ai
April 29, 2026
thepitstop.ai logo
Protectors Edge: Leadership through Strategy and Action
From 360 Privacy
April 24, 2026
360 Privacy logo
Editors' picks
Latest in Vulnerability
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell