A CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller and Manager lets unauthenticated remote attackers seize high-privileged accounts and rewrite SD-WAN fabric configuration; CISA added it to KEV on 2026-05-14 with a 3-day remediation deadline under Emergency Directive 26-03.
What Is It
A flaw in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). The peering authentication does not work properly, so an attacker can send crafted requests to log in as an internal, high-privileged, non-root account. From there, they reach NETCONF and can manipulate network configuration for the entire SD-WAN fabric. Tracked as CWE-287 (Improper Authentication). Disclosed by Cisco PSIRT on 2026-05-14 as a follow-on to an earlier February 2026 advisory, after a new vulnerability was found in the control connection handshaking.
Why It Matters
CVSS 3.1 base score is 10.0 (CRITICAL): network attack vector, low complexity, no privileges, no user interaction, scope changed, with high impact to confidentiality, integrity, and availability. A successful exploit gives an unauthenticated remote attacker administrative control over the SD-WAN control plane, and through NETCONF, the ability to reconfigure routing and policy across the fabric. CISA added the CVE to KEV on 2026-05-14 with a due date of 2026-05-17 and issued Emergency Directive 26-03. Known ransomware campaign use is currently "Unknown."
What's Vulnerable
- Cisco Catalyst SD-WAN Manager (formerly vManage), versions before 20.9.9.1; 20.10–20.12.5.4; 20.12.6–20.12.6.2; 20.12.7; 20.13–20.15.4.4; 20.15.5–20.15.5.2; 20.16–20.18.2.2; 26.1–26.1.1.1.
- Cisco SD-WAN vSmart Controller / Catalyst SD-WAN Controller: same version ranges as above.
Patch Status
Fixed releases are referenced in the Cisco Security Advisory (cisco-sa-sdwan-rpa2-v69WY2SW). CISA's required action: follow Emergency Directive 26-03 and the supplemental Hunt & Hardening Guidance for Cisco SD-WAN Systems to assess exposure and remediate; apply BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable. Cisco's advisory also includes Show Control Connections guidance for system checks.