FAQ about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)

Multiple critical authentication bypass vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager are under active exploitation. A sophisticated threat actor tracked as UAT-8616 has been exploiting these systems since at least 2023, and 10 additional threat clusters began exploiting a chain of vulnerabilities in March 2026 after proof-of-concept code was published. CISA issued Emergency Directive 26-03 and added CVE-2026-20182 to the KEV catalog on May 14 with a 3-day remediation deadline.

CVE	Description	CVSSv3
CVE-2026-20182	Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass	10.0
CVE-2026-20127	Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass	10.0
CVE-2026-20133	Cisco Catalyst SD-WAN Manager Information Disclosure	7.5
CVE-2026-20128	Cisco Catalyst SD-WAN Manager Credential Access	7.5
CVE-2026-20122	Cisco Catalyst SD-WAN Manager Arbitrary File Overwrite	5.4

For more information about the vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.

Vulnerability Watch

Forum Discussion

FAQ about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)

Recent Discussions

Key findings from the Verizon DBIR 2026: Slower vulnerability remediation meets faster exploitation

FAQ about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)

CVE-2026-46300 (Fragnesia): Frequently Asked Questions About New Linux Kernel Privilege Escalation

Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)

Dirty Frag (CVE-2026-43284, CVE-2026-43500): FAQs about this Linux kernel LPE vulnerability chain

Americas

Europe

Asia / Australia