Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: catalyst-sd-wan (2 articles)Clear

Second maximum-severity Cisco Catalyst SD-WAN auth bypass exploited as a zero-day by sophisticated UAT-8616 actor - CISA gives federal agencies until May 17 to patch (CVE-2026-20182)

Cisco disclosed and patched a second perfect-score authentication bypass in its Catalyst SD-WAN Controller and Manager (formerly vSmart and vManage). The bug, CVE-2026-20182 (CVSS 10.0), was found by Rapid7 while investigating the earlier CVE-2026-20127 wave, and lives in the same vdaemon service over DTLS port 12346. An unauthenticated attacker can become a trusted peer of the controller, log in as a privileged internal account, hit the NETCONF interface, and rewrite the entire SD-WAN fabric. Cisco Talos already attributes limited in-the-wild exploitation to UAT-8616, an actor with operational-relay-box ties that has been targeting Cisco SD-WAN since 2023.

Check
Identify on-prem and cloud Cisco Catalyst SD-WAN Controller and Manager instances, compare any successful peer IPs to the configured System IPs under WebUI > Devices > System IP, and open a Cisco TAC case for unknown peers.
Affected
Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and Cisco-managed SD-WAN Cloud deployments. Maximum severity (CVSSv3 10.0).
Fix
Upgrade to the fixed releases listed in Cisco advisory cisco-sa-sdwan-rpa2-v69WY2SW immediately - CISA Emergency Directive 26-03 set the federal deadline at May 17, 2026. Restrict internet exposure of UDP/12346 to trusted peers only.

Cisco Catalyst SD-WAN Manager users have until today to patch three actively-exploited flaws as CISA adds eight to the KEV catalog

CISA added eight actively-exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on April 20, with federal agencies required to patch three Cisco Catalyst SD-WAN Manager flaws by today, April 23, and the remaining five by May 4. The Cisco trio (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) enable arbitrary file upload with vmanage user privileges, recovery of stored credentials for the DCA user, and unauthenticated disclosure of sensitive configuration data. Cisco confirmed exploitation of the first two in March 2026. The other five cover a wide blast radius: CVE-2025-32975 is a CVSS 10.0 authentication bypass in Quest KACE Systems Management Appliance letting attackers impersonate any user without credentials, exploited in the wild by unknown actors last month per Arctic Wolf. CVE-2023-27351 is the PaperCut NG/MF bypass that Microsoft's Lace Tempest chained into Cl0p and LockBit deployments back in 2023. CVE-2024-27199 is a path traversal in JetBrains TeamCity giving limited admin actions - its sibling CVE-2024-27198 is already on the KEV list. CVE-2025-48700 is a Zimbra XSS that the Ukrainian CERT attributes to UAC-0233/UAC-0250 for stealing mailbox contents, MFA backup codes, and application passwords. CVE-2025-2749 is a Kentico Xperience Staging Sync Server path traversal.

Check
Check your environment for any exposed or internal instances of Cisco Catalyst SD-WAN Manager, Quest KACE SMA, PaperCut NG/MF, JetBrains TeamCity, Zimbra Collaboration Suite, or Kentico Xperience and confirm patch status against the specific CVEs below.
Affected
Cisco Catalyst SD-WAN Manager (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133). Quest KACE SMA unpatched against CVE-2025-32975 (CVSS 10.0). PaperCut NG/MF against CVE-2023-27351. JetBrains TeamCity against CVE-2024-27199. Synacor Zimbra Collaboration Suite against CVE-2025-48700. Kentico Xperience against CVE-2025-2749.
Fix
Apply vendor-released patches for each product. Cisco SD-WAN Manager needs fixing by end of day April 23 to meet the CISA federal deadline - treat the same as a commercial deadline and patch today. The other five carry a May 4 CISA deadline. If you cannot patch immediately, remove affected products from direct internet exposure and monitor for the exploitation patterns each vendor describes. For Zimbra specifically, check mailbox audit logs for unusual TGZ archive creation and review MFA backup code usage.