InfoSecBulletin Cybersecurity for mankind
Cisco is alerting that a critical flaw in the Catalyst SD-WAN Controller, known as CVE-2026-20182, was used in attacks that let hackers get admin access on affected devices. CVE-2026-20182 has the highest severity score of 10.0. It affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager in both on-site and cloud setups.
The attacker doesn’t need a username or password to attack. They can just send a “crafted request” that takes advantage of how the system deals with XXE entries when reading XML, allowing them to look into private files.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Affected Products:
Vulnerable Products
This vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, regardless of device configuration.
This vulnerability affects all deployment types, including:
On-Prem Deployment
Cisco SD-WAN Cloud-Pro
Cisco SD-WAN Cloud (Cisco Managed)
Cisco SD-WAN for Government (FedRAMP)
Indicators of Compromise (IOC)
| IOC Type | Value / Description |
|---|---|
| Log File | /var/log/auth.log |
| Suspicious Entry | Accepted publickey for vmanage-admin from unknown IP |
| Injected File | /home/vmanage-admin/.ssh/authorized_keys (unauthorized key appended) |
| Suspicious Port | DTLS UDP/12346 (vdaemon), TCP/830 (NETCONF SSH) |
| CVE | CVE-2026-20182 |
| CVSS Score | 10.0 (Critical) |
| CWE | CWE-287: Improper Authentication |
Cisco Catalyst SD-WAN is a software system that links branch offices, data centers, and the cloud through one main control system. It uses a controller to safely direct traffic between locations over secure, encrypted links.
Cisco says it found hackers using the flaw in May, but did not share any details on how it happened.
