Ciscos SD-WAN Bug Just Hit Maximum Severity, and Its Already Being Exploited
Cisco has patched a vulnerability in its Catalyst SD-WAN Controller and Manager products that scored a perfect 10.0 on the CVSS severity scale, the maximum possible rating. Tracked as CVE-2026-20182, the flaw lets an unauthenticated attacker impersonate a legitimate network peer and gain full administrative control over the affected device, with no login required.
How the attack works
Researchers at Cisco Talos say a threat actor they track as UAT-8616 is actively exploiting the bug. Once an attacker becomes an authenticated peer, they can inject their own SSH public key into the vmanage-admin accounts list of authorised keys. From that point, they have persistent remote access to the box, no password needed, and can move on to whatever sits behind it.
This is not UAT-8616s first run at Ciscos SD-WAN stack. Talos says the same group previously exploited a near-identical bug, CVE-2026-20127, to break into SD-WAN systems. The pattern suggests a group with deep familiarity with this specific product line, not an opportunistic scan-and-spray operation.
Who is affected
The vulnerability affects Cisco Catalyst SD-WAN Controller, formerly vSmart, and Catalyst SD-WAN Manager, in both on-premises and cloud deployments. If your organisation runs either product, this is not a patch to schedule for next sprint. CISA and international partners have already flagged ongoing global exploitation of Cisco SD-WAN systems as a coordinated concern, not an isolated incident.
What to do
Patch immediately if you run Catalyst SD-WAN Controller or Manager. Then check the vmanage-admin accounts authorised_keys file for anything you did not put there yourself, because a patch alone will not remove a backdoor an attacker already planted. If you find an unfamiliar key, assume the device is compromised and rebuild it rather than just deleting the key.
Future Technology