CISA added a maximum-severity flaw in Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities catalog on Thursday — CVE-2026-20182, scored a perfect 10.0 on CVSS. It’s an authentication bypass that lets an unauthenticated attacker on the network gain admin on the controller without so much as a password. Cisco has confirmed active exploitation by UAT-8616, the same China-linked cluster that weaponised CVE-2026-20127 earlier this year.

Once they’re in, attackers are dropping web shells (XenShell, Godzilla, Behinder, and a Sliver beacon have all been seen), adding their own SSH keys, modifying NETCONF configurations, and escalating to root on the underlying device. Public proof-of-concept code is already circulating, and US federal agencies have been told to patch by 17 May. That’s about as urgent as it gets.

You might be reading this thinking “we’re a small business, we don’t run enterprise SD-WAN.” Maybe — but if you’ve got multiple sites stitched together (a hospitality group with a few venues, a not-for-profit with regional offices, a financial services firm with branches), there’s a decent chance your network provider or MSP is using Cisco Catalyst gear somewhere upstream. And once an attacker has admin on the controller, they’re inside the routing fabric for everyone connected to it.

What to do today: ask your IT provider whether any Cisco Catalyst SD-WAN Controller or Manager appliances sit anywhere in your network or your carrier’s. If the answer is yes, confirm in writing that patches have been applied and that SSH keys and NETCONF configs have been audited for tampering since 1 March 2026. If you don’t have a provider who can give you a same-day answer to that question, that’s a separate problem — and one we’re happy to help with.