A CVSS 10.0 is rare. An exploited-in-the-wild CVSS 10.0 with admin impact is rarer.

Cisco disclosed and CISA cataloged CVE-2026-20182 — a critical authentication bypass in Cisco Catalyst SD-WAN Controller. Score: 10.0. Weakness: CWE-287 (improper authentication). Outcome: full administrative control of an exposed controller. Federal agencies had until May 17 to patch.

The SD-WAN controller is exactly the kind of box where this is bad. It sits at the seam between branches and the corporate WAN, and "administrative privileges" on it means your routing intent is now whatever the attacker decides it is.

If you operate any Cisco Catalyst SD-WAN Controller — patched yesterday or not — assume the window of exposure includes any time you were on a vulnerable version. The exploit was zero-day before the advisory.

Editor's note

If you can't patch immediately, restrict management-plane access to a jump host and audit administrator audit logs for the prior 30 days. The patched version is the only durable fix.