Cisco Catalyst SD-WAN Authentication Bypass — CISA Emergency Directive Issued

CISA has issued Emergency Directive 26-03 in response to active exploitation of CVE-2026-20182, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller and Manager. The vulnerability allows an unauthenticated remote attacker to bypass authentication entirely and gain administrative privileges on affected systems. There is no middle ground here: full network takeover is possible from across the internet.

Cisco has confirmed limited active exploitation in the wild. CISA has set a remediation deadline of 17 May 2026, giving organisations just three days to act. That deadline is this Sunday.

What's happening

The vulnerability exists in the authentication mechanism of Cisco Catalyst SD-WAN Controller and Manager. An attacker needs no credentials, no insider access, and no user interaction. A single crafted request to an exposed SD-WAN controller grants full administrative control. From there, the attacker controls routing policy, can pivot into connected networks, intercept traffic, and establish persistent access.

CISA's Emergency Directive 26-03 requires federal agencies to immediately identify all Cisco Catalyst SD-WAN devices, apply available patches, and follow CISA's published Hunt and Hardening Guidance for Cisco SD-WAN devices. The three-day remediation window is among the shortest CISA has ever imposed, reflecting both the severity and the active exploitation.

A related KEV entry, CVE-2026-20128 (Cisco Catalyst SD-WAN Manager storing passwords in recoverable format), was also added to the catalog on 20 April under the same Emergency Directive, suggesting this is part of a broader weakness in the SD-WAN authentication architecture.

Why this matters now

SD-WAN controllers sit at the network edge. They are perimeter infrastructure by definition. An auth bypass at this level doesn't just compromise one device — it compromises every network segment, every site, and every tunnel the controller manages. For organisations that rely on Cisco SD-WAN to connect branch offices, data centres, or cloud environments, this is a full-spectrum exposure.

The active exploitation window is open. The 17 May deadline is hard. If your Cisco SD-WAN controllers are internet-facing and unpatched, you should assume compromise and begin incident response procedures alongside patching.

So what / Action

Immediately inventory all Cisco Catalyst SD-WAN Controller and Manager instances. Patch to the fixed versions referenced in Cisco's advisory. If patching cannot be completed before 17 May, restrict management plane access to trusted networks only and implement CISA's Hunt and Hardening Guidance. Review SD-WAN audit logs for indicators of exploitation dating back to at least 14 May. If you find evidence of compromise, treat it as a full network compromise: reset credentials, rotate certificates, and examine lateral movement paths from the controller into connected environments.

This is not a routine patch cycle. Three days is the window. Act accordingly.