COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-20182

CVE-2026-20182

Severity
high · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-05-14
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-20182
⚡ RCE ⌖ exploited in the wild shame 85/100 exploited-in-wildransomwareauth-bypassunpatched

Cisco Catalyst SD-WAN Controller allows unauthenticated remote attackers to bypass authentication and gain administrative privileges.

This authentication bypass vulnerability enables remote attackers to escalate privileges without credentials, posing a severe risk to DIB organizations relying on Cisco SD-WAN for network control. The vulnerability is actively exploited in the wild and linked to ransomware campaigns, making it a critical compliance failure for FedRAMP vendors and hardware suppliers. Organizations must immediately patch affected systems and audit access controls to prevent unauthorized administrative access.

Shame score — Active exploitation in the wild combined with ransomware linkage and unauthenticated remote access to administrative privileges represents a severe, avoidable security failure.

Players implicated

Cisco Systems Inc. · vendorCatalyst SD-WAN · product

Description

Cisco Catalyst SD-WAN Controller & Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.

Affected FedRAMP products 9 in the catalog

ProductProviderStatusMatch
AppDynamics GovAPM AppDynamics (a Cisco company) Authorized dex-judge · 0.95
Cisco Cloudlock for Government Cisco Systems Inc. Authorized vendor-exact · 0.90
Cisco Meraki for Government Cisco Systems Inc. In Process vendor-exact · 0.90
Cisco SD-WAN for Government Cisco Systems Inc. In Process vendor-exact · 0.90
Cisco Umbrella for Government Cisco Systems Inc. In Process vendor-exact · 0.90
Cisco Unified Communications Manager Cloud for Government (Cisco UCM Cloud for Government) Cisco Systems Inc. Authorized vendor-exact · 0.90
Duo Federal Duo Security (A Cisco Company) Authorized dex-judge · 0.95
WebEx Contact Center Enterprise for Government (WxCCE-G) Cisco Systems Inc. In Process vendor-exact · 0.90
Webex for Government Cisco Systems Inc. Authorized vendor-exact · 0.90