CISA adds Cisco SD-WAN auth bypass to KEV catalog
The listing follows Emergency Directive 26-03, putting a specific CVE and hard deadline on SD-WAN mitigation already ordered.
TL;DR
CISA added CVE-2026-20182, an authentication bypass in Cisco Catalyst SD-WAN Controller, to the Known Exploited Vulnerabilities catalog on evidence of active exploitation. FCEB agencies now have a mandatory remediation deadline under BOD 22-01; contractors, C3PAOs, and MSPs supporting federal networks face pressure to match that timeline. Emergency Directive 26-03 already required SD-WAN mitigation; this KEV listing assigns a specific CVE and a specific clock.
The KEV listing does not change the technical facts of CVE-2026-20182. It is an authentication bypass. CISA has now confirmed it is under active exploit. What changes is the compliance clock and who hears it ticking. BOD 22-01 sets a remediation deadline for all FCEB agencies, typically within 14 to 30 days of KEV listing depending on severity. Agencies already operating under ED 26-03 for Cisco SD-WAN systems should treat this as a targeted acceleration: the general mitigation mandate now has a specific CVE pinned to it, with a specific due date. For contractors, C3PAOs, and MSPs, CISA strongly urges but does not mandate KEV remediation. Agencies relying on contractor-managed SD-WAN infrastructure will almost certainly push the requirement downstream. If you manage a federal customer's SD-WAN Controller, expect a call before the BOD 22-01 deadline.
Published ·Updated ·Deep Fathom