Cisco disclosed CVE-2026-20182 on May 14, an authentication bypass in Cisco Catalyst SD-WAN Controller and Manager with a CVSS score of 10.0. The flaw allows unauthenticated remote attackers to obtain administrative privileges. The first exploitation attempts were observed less than four hours after public disclosure, according to security researchers tracking the CVE.
The exploitation window is the operational fact that matters. Four hours from public disclosure to first observed attempts is consistent with attackers monitoring vendor disclosure feeds and acting on the same day. Anyone running affected versions during that window who had not patched was relying on the obscurity gap between disclosure and attack tooling. That gap has closed for high-severity CVEs across the past 18 months as exploitation pipelines have automated. CVSS 10.0 with no required authentication means a full administrative compromise is achievable from outside the network. For SD-WAN deployments specifically, that means the attacker controls the routing topology, traffic shaping, and any tunneled traffic across the management plane. Cisco has not yet disclosed the full list of products and versions; the catalog entry is still being updated. CISA has not yet listed the CVE in its Known Exploited Vulnerabilities catalog, but the active-exploitation reports likely qualify it for inclusion this week.
For Cisco SD-WAN operators: patch immediately if you have not already, and audit the management plane logs for unauthorized administrative actions in the past 48 hours. If you find evidence of compromise, assume any tunneled traffic from that period was visible to the attacker.