Patch now! Attackers are targeting Cisco Catalyst SD-WAN Controller

Because the authentication of Cisco Catalyst SD-WAN Controller is defective, attackers are currently gaining access to instances. Admins must install the available security patches immediately. Additionally, the network equipment supplier has repaired Catalyst SD-WAN Manager.

With both tools, admins primarily control network processes and monitor specific parameters.

Unauthorized Access

In a warning message, the developers state that the actively exploited vulnerability (CVE-2026-20182) is considered "critical" and has the maximum CVSS score of 10 out of 10. It specifically affects the peering authentication mechanism. Remote attackers are currently exploiting this by sending crafted requests to bypass authentication and gain access. Subsequently, they have access with high user privileges and can, among other things, manipulate network configurations. Due to the classification, it is to be assumed that systems are completely compromised after attacks.

The extent to which the attacks are occurring is currently unknown. Meanwhile, the US agency CISA warns of the attacks and outlines a risk for federal agencies. The developers state that there are no security updates for Catalyst SD-WAN versions prior to 20.9. In this case, an upgrade to a still-supported version is necessary. According to Cisco, the following versions are protected against the ongoing attacks:

• 20.9.9.1
• 20.12.7.1
• 20.12.5.4
• 20.12.6.2
• 20.15.5.2
• 20.15.4.4
• 20.18.2.2
• 26.1.1.1

In the warning message, admins can find indicators of compromise (IoC) by which they can identify already successfully attacked instances.

Further Dangers

Catalyst SD-WAN Manager is vulnerable overall through three security vulnerabilities (CVE-2026-20209, CVE-2026-20210, CVE20224). Cisco classifies the severity as "high". Attackers can, among other things, gain unauthorized access to files at these points. The security updates listed above provide a remedy here.

(des)