The US cybersecurity agency CISA has added a serious flaw in Cisco’s SD-WAN networking equipment to its list of actively exploited vulnerabilities. The bug, CVE-2026-20182, earns a perfect 10.0 out of 10 on the severity scale because it allows any attacker on the internet to log into the management console as an administrator—no password required. Attackers linked to a known threat cluster called UAT-8616 are already using it to install web shells (hidden backdoors) on affected equipment.
SD-WAN devices are the routers and controllers that large organisations—companies, hospitals, and government offices—use to manage their internet connections across multiple office locations. If you work at a business or government agency that uses Cisco networking equipment, this matters to your employer’s security today. Home users are not directly affected, though this type of attack on critical infrastructure can have downstream effects on services you rely on.
How to check if you’re affected
Affected products include Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager running any versions prior to the patches released in Cisco’s May 2026 security advisory:
- If your organisation manages its own Cisco SD-WAN infrastructure, check Cisco’s advisory immediately and apply available patches.
- If your business uses a managed internet or networking provider, contact them today to confirm they have patched CVE-2026-20182.
- US federal civilian agencies must remediate by May 17, 2026 per CISA’s binding operational directive.