CISA adds Cisco SD-WAN auth bypass to KEV Catalog

Patch or pull the plug, those are the options CISA is offering on CVE-2026-20182.

The vulnerability is an authentication bypass in the Cisco Catalyst SD-WAN Controller. CISA added it to the KEV Catalog on May 14 based on evidence of active exploitation, triggering BOD 22-01 remediation deadlines for all Federal Civilian Executive Branch agencies. The BOD 22-01 due date for this CVE is not stated in the advisory; check the KEV Catalog entry directly for the specific deadline.

Two additional documents govern the response. Emergency Directive 26-03 requires FCEB agencies to mitigate vulnerabilities in Cisco SD-WAN systems broadly, and its supplemental direction adds specific hunt and hardening steps. The KEV addition sits on top of those obligations, it does not replace them. Agencies already working ED 26-03 compliance need to confirm CVE-2026-20182 is covered in their remediation scope.

For non-FCEB organizations: BOD 22-01 carries no legal force outside federal civilian agencies, but the KEV Catalog is the closest thing the U.S. government has to a vetted, evidence-based patch-priority list. An authentication bypass on SD-WAN infrastructure at active exploitation warrants treatment as critical regardless of your sector.

If Cisco patches are not yet available or deployable in your environment, CISA's guidance is explicit: discontinue use of the affected product. That is operationally significant for any organization running SD-WAN at scale.