Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-20182 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-20182 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-20182 is an authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager, allowing unauthenticated remote attackers to gain administrative control over affected systems.

Technical Detail

The flaw resides in the authentication mechanism of the Cisco Catalyst SD-WAN Controller and Manager, permitting a remote, unauthenticated attacker to bypass authentication controls entirely and obtain administrative privileges. The precise technical root cause has not been publicly disclosed, but the impact is full administrative compromise of the SD-WAN management plane, which governs network policy, routing, and device configuration across the SD-WAN fabric. Successful exploitation could allow an attacker to reconfigure network infrastructure, intercept traffic, pivot to connected network segments, or disrupt WAN operations at scale.

Exploitation Status

CISA has confirmed active exploitation in the wild, adding this CVE to the Known Exploited Vulnerabilities catalog on May 14, 2026. The exploit maturity is rated Operational, meaning a reliable, functional exploit exists and is being used in real-world attacks, not merely demonstrated in a controlled research context. Organizations running affected Cisco Catalyst SD-WAN infrastructure should treat this as an active threat requiring immediate response.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Given the nature of the vulnerability, targeting of enterprise and government network infrastructure is a plausible concern, but no named groups or campaigns have been publicly linked to exploitation of this CVE as of May 15, 2026.

What To Do

Under CISA's Binding Operational Directive 22-01, federal civilian agencies are required to remediate this vulnerability immediately given its KEV listing date of May 14, 2026. All organizations should apply Cisco's official patches for the Catalyst SD-WAN Controller and Manager as the primary remediation action. Until patching is complete, restrict management plane access to trusted IP ranges only, enforce network-level controls to limit exposure of the SD-WAN management interface to the internet, and review administrative account activity for unauthorized access or configuration changes. Monitor Cisco's Security Advisory portal for specific fixed software versions and any available workarounds. Given the administrative privilege impact, post-exploitation forensic review of affected systems is advisable even after patching.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →