Cisco SD-WAN CVE-2026-20182: CVSS 10 Auth Bypass - Patch ASAP

Just saw the advisory drop for CVE-2026-20182. It’s a max-severity authentication bypass in the peering authentication of the Cisco Catalyst SD-WAN Controller (formerly vSmart). With a CVSS score of 10.0 and confirmed active exploitation, this is the definition of 'drop everything and patch.'

The flaw allows an unauthenticated, remote attacker to bypass authentication and assume administrative privileges. If you have your management interfaces exposed to the internet, you are essentially inviting a full takeover of your WAN fabric.

I've started checking our version strings against the advisory. If you need to verify if you are vulnerable, you can check your software version:

show version | include "Release"

Regarding detection, since this is an auth bypass, standard logs might not show a failed login. We are looking for successful admin sessions originating from unusual IPs or configuration changes outside of change windows.

Here’s a quick KQL query for Sentinel/defender users to hunt for suspicious config pushes:

CiscoSDWANEvent
| where EventType == "Configuration"
| where initiating_user != "admin_user_1" and initiating_user != "admin_user_2"
| summarize count() by SrcIpAddr, initiating_user


Is anyone else pushing emergency patches tonight, or are you relying on WAF rules and IP whitelisting until the next maintenance window?