Vulnerability Management , Patch/Configuration Management 10.0 Cisco Catalyst SD-WAN Controller bug added to CISA’s KEV list May 15, 2026 Share By Steve Zurier (Adobe Stock) The Cybersecurity and Infrastructure Security Agency (CISA) on May 14 added a maximum-severity 10.0 authentication bypass flaw for Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog. CISA added the flaw to the KEV following Cisco Talos reporting in a blog post that the SD-WAN controller flaw was actively exploited and tied with “high confidence” by Cisco to UAT-8616, an alleged China-nexus group that has been targeting Cisco SD-WAN gear since at least 2023. Cisco also released a patch for this new vulnerability, explaining that the flaw exists because the peering authentication mechanism in an affected system does not work properly. Kevin E. Greene, chief cybersecurity technology for public sector at BeyondTrust, said the CVSS 10.0 rating on CVE-2026-20182 is accurate and should drive immediate prioritization by security teams. However, Greene said the more important signal is the CVE vulnerability class itself: authentication bypass on network management infrastructure is the highest value target we’ve been seeing in threat actors’ playbook because it eliminates every friction point between external access and administrative control of the privilege plane. “Threat actors are shifting to mobile device management, edge devices, and network infrastructure components because they govern everything below them,” explained Greene. “Think about it this way: If you can compromise the management plane, you can own everything it manages, and owning everything it manages is the ideal conditions for plane jumping.” Darren Guccione, co-foundeer and CEO at Keeper Security, added that active exploitation of critical network infrastructure by a reported state-aligned threat actor is exactly the scenario that demands a mature, identity-first approach to access governance. Guccione said CVE-2026-20182 carries a maximum severity score of 10.0 for good reason: an unauthenticated remote attacker can bypass authentication entirely and assume administrative control of the network control plane, determining how the entire environment routes traffic, enforces policy and manages access. “CISA has mandated that federal civilian agencies remediate within three days, a timeline that reflects the severity of active, in-the-wild exploitation attributed to UAT-8616, the same state-aligned threat cluster responsible for a prior authentication bypass against the same Cisco SD-WAN product line,” said Guccione. “The consistency of the target, the tactic and the outcome is the signal. This actor has identified a reliable attack surface and is committed to it.” Rogier Fischer, co-founder and CEO at Hadrian, said while multiple vulnerabilities have surfaced in edge connectivity platforms this year, this latest Cisco SD-WAN one stands out not only because of its critical rating and the potential for unauthenticated administrative control, but because it was discovered in the midst of investigating earlier exploitation. Fischer said that signals attackers have deeper operational knowledge of Cisco SD-WAN internals: they’ve likely reverse-engineered components and mapped authentication flows. “From a hacker's perspective this is a logical move, SD-WAN control planes are strategic targets and investing the effort to inside and out is clearly paying dividends,” said Fischer. “This is a reminder that when attackers understand system architecture deeply, vendors can’t just release a patch for a single flaw, they need for vendors to harden management-plane and review the trust relationships.” Steve Zurier Related Vulnerability Management Microsoft warns of active exploitation of new Exchange Server zero-day vulnerability SC Staff May 15, 2026 The vulnerability, a cross-site scripting flaw with a CVSS score of 8.1, specifically impacts Outlook Web Access (OWA). Vulnerability Management WordPress Funnel Builder vulnerability exploited to steal payment data SC Staff May 15, 2026 The vulnerability in the Funnel Builder plugin, used by over 40,000 websites, allows unauthenticated attackers to modify global settings via an unprotected checkout endpoint. Vulnerability Management Critical vulnerability in Burst Statistics plugin allows admin takeover SC Staff May 15, 2026 The flaw, identified as CVE-2026-8181, was introduced in version 3.4.0 and persists in 3.4.1 of the Burst Statistics plugin, which is installed on approximately 200,000 WordPress sites. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds