Maximum Severity Cisco SD-WAN Bug Exploited in the Wild

A highly sophisticated threat actor is exploiting a critical vulnerability in Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) Controllers. Rapid7 disclosed CVE-2026-20182, an authentication bypass vulnerability in Cisco's market-leading network management solution. By allowing unauthenticated attackers free rein over one of an organization's most powerful tools, it earned the highest possible 10 out of 10 score in the Common Vulnerability Scoring System (CVSS). In an updated blog post today, Rapid7 director of vulnerability intelligence Douglas McKee hammered home just how serious an issue this was. "Attackers have become very good at turning central infrastructure weaknesses into high impact operations," he warned, and for nation-states in particular, "an SD-WAN controller is a great place to do [espionage], because it lives in the middle of trust relationships most organizations rarely question." To avoid sensationalizing, McKee added, "To be fair, not every bug turns into Internet-wide exploitation overnight." In fact, CVE-2026-20182 had been exploited overnight. In a separate publication that same day, researchers at Cisco Talos flagged that a group it tracks as UAT-8616 has already gotten to it. Not only is CVE-2026-20182 not the first vulnerability discovered in Cisco Catalyst this year, it isn't even the first authentication bypass vulnerability with a "critical" 10 score on the CVSS scale. Back in February, Cisco revealed half a dozen issues with Catalyst. ...