The security team at a mid-sized financial firm spent three weeks hardening their endpoints. MFA everywhere. EDR on every workstation. Zero Trust policies rolled out to half the organization. Meanwhile, their Palo Alto firewall — the device that decides what traffic gets in and out — was running a version of PAN-OS that handed root access to anyone who sent the right packet. And their Cisco SD-WAN controller, the brain of their entire branch network, was accepting new peers without asking for credentials.

The perimeter wasn’t protecting the inside. The perimeter was the vulnerability.

TL;DR

  • CVE-2026-20182 (Cisco Catalyst SD-WAN, CVSS 10.0): Authentication bypass lets attackers join your SD-WAN fabric as a trusted peer — no credentials needed. Actively exploited in the wild.
  • CVE-2026-0300 (Palo Alto PAN-OS, CVSS 9.3): Buffer overflow in the User-ID Authentication Portal grants root-level remote code execution on the firewall itself.
  • Together, these two flaws create an attack chain where the firewall becomes the entry point and the SD-WAN becomes the manipulation layer.
  • CISA added CVE-2026-20182 to the Known Exploited Vulnerabilities catalog. Federal agencies had until May 17, 2026 to patch.
  • Patch now. For Cisco, update Catalyst SD-WAN Controller and Manager immediately. For Palo Alto, update to the fixed PAN-OS version or disable the portal if internet-facing.

Why This Matters

Most organizations protect their users’ devices carefully. They install antivirus, deploy EDR tools, enforce password policies. But the devices that carry all traffic — the firewalls, the SD-WAN controllers, the routers — often run firmware that hasn’t been touched in months.

An attacker who owns your firewall sees every connection passing through it. An attacker who joins your SD-WAN fabric can redirect traffic across every branch office. These aren’t endpoint compromises. They’re infrastructure compromises — and they’re orders of magnitude more valuable to an attacker.

Both vulnerabilities are being exploited right now.

Table of Contents

CVE-2026-20182: Cisco SD-WAN Authentication Bypass

CVSS: 10.0 — Maximum severity. Actively exploited.

What is SD-WAN?

SD-WAN (Software-Defined Wide Area Network) is how modern enterprises connect their branch offices. Instead of dedicated expensive links, SD-WAN uses software to route traffic intelligently across internet connections. The SD-WAN Controller is the brain: it tells every router and branch device how to behave, which paths to use, and who belongs in the fabric.

Think of it as an air traffic control system — except this one accepted planes with forged IDs.

The Vulnerability

The Cisco Catalyst SD-WAN Controller and Manager contain an authentication bypass in the peering mechanism — the process by which new devices join the SD-WAN fabric.

By sending specially crafted requests, an unauthenticated remote attacker can:

  1. Log in as an internal high-privilege account — without any credentials
  2. Access NETCONF (Network Configuration Protocol), used to programmatically manage network devices
  3. Add rogue peer devices to the SD-WAN fabric, making attacker-controlled hardware appear as legitimate network nodes
  4. Establish encrypted tunnels to attacker infrastructure while appearing as trusted fabric members
  5. Advertise attacker-controlled routes, redirecting branch-to-branch or branch-to-datacenter traffic

Once a rogue peer is inside the fabric, it inherits the trust that every other device has earned. The SD-WAN controller thinks it’s talking to a legitimate branch router. It isn’t.

# What an attacker achieves via NETCONF after bypassing auth:
# - Read full network topology
# - Modify routing policies
# - Insert rogue peers
# - Redirect traffic through attacker-controlled nodes


# Example NETCONF RPC that would be available post-exploitation:
<rpc>
  <edit-config>
    <target><running/></target>
    <config>
      <!-- Add attacker-controlled peer to trusted fabric -->
      <peer-address>ATTACKER_IP</peer-address>
      <peer-type>vedge</peer-type>
    </config>
  </edit-config>
</rpc>

Affected Products

  • Cisco Catalyst SD-WAN Controller
  • Cisco Catalyst SD-WAN Manager
  • Both on-premises and cloud SD-WAN deployments

Rapid7 discovered active exploitation in May 2026. CISA added this to the Known Exploited Vulnerabilities catalog with a federal patching deadline of May 17, 2026.

CVE-2026-0300: Palo Alto PAN-OS Root RCE

If the Cisco flaw lets an attacker rewrite the map, the Palo Alto flaw hands them the keys to the front door first.

CVSS: 9.3 (internet-facing) / 8.7 (internal-only). Limited active exploitation.

The Vulnerability

PAN-OS firewalls include a User-ID Authentication Portal (also called Captive Portal) — a web interface that presents a login page to users who need to authenticate before accessing network resources. It’s commonly used in enterprise environments to tie network access to user identity.

The portal contains a buffer overflow vulnerability. When processing certain specially crafted packets, the portal writes more data than the buffer can hold — overflowing into adjacent memory and giving the attacker control over execution flow.

The result: unauthenticated remote code execution with root privileges on the firewall itself.

The risk is highest when the portal is exposed to the internet. If it’s restricted to internal trusted zones only, the CVSS drops slightly — but an attacker who is already inside the network (via phishing, a compromised endpoint, or another vulnerability) can still reach it.

Affected Versions

PAN-OS VersionVulnerable VersionsFixed Version
12.1< 12.1.4-h5, < 12.1.712.1.7+
11.2< 11.2.4-h17, < 11.2.7-h13, < 11.2.1211.2.12+
11.1< 11.1.4-h33, < 11.1.1511.1.15+
10.2< 10.2.7-h34, < 10.2.18-h610.2.18-h6+

Cloud NGFW and Panorama appliances are not affected.

The Combined Attack Chain

These two vulnerabilities don’t have to be used together — but when they are, they create a nearly complete infrastructure takeover scenario.

Phase 1: Perimeter Breach (CVE-2026-0300)
──────────────────────────────────────────
Attacker scans for PAN-OS portals exposed to internet
    → Sends crafted packet to User-ID Authentication Portal
    → Buffer overflow triggers
    → Root shell on the firewall


Phase 2: Internal Reconnaissance
──────────────────────────────────────────
From the compromised firewall:
    → Full visibility into internal network topology
    → Enumerate SD-WAN infrastructure
    → Identify Cisco Catalyst SD-WAN Controller IP


Phase 3: Fabric Poisoning (CVE-2026-20182)
──────────────────────────────────────────
Attacker targets SD-WAN Controller:
    → Authentication bypass via crafted peering request
    → NETCONF access established
    → Rogue peer device registered as trusted fabric member


Phase 4: Persistent Traffic Manipulation
──────────────────────────────────────────
    → Encrypted tunnel to attacker infrastructure
    → Branch traffic silently redirected
    → Man-in-the-middle position on corporate WAN
    → Long-term persistent access — invisible to endpoint detection

MITRE ATT&CK techniques involved:

The most dangerous aspect: endpoint security tools don’t see this. EDR monitors processes on workstations. It has no visibility into what’s happening inside the SD-WAN fabric or on the firewall OS. An attacker with persistent access at this layer can exfiltrate data, intercept credentials, and manipulate communications — indefinitely — while every endpoint alert board stays green.

Detection Reference

Sigma — Cisco SD-WAN Unauthorized Peer Registration

title: Cisco SD-WAN Unauthorized Peer Registration via NETCONF
id: a3f1c8e2-7d4b-4a91-b2c6-9e5f03d82b17
status: experimental
description: >
  Detects NETCONF sessions followed by peer-add operations that may indicate
  exploitation of CVE-2026-20182.
logsource:
  category: network
  product: cisco_sdwan
detection:
  selection:
    EventType: 'NETCONF_SESSION'
    Operation: 'edit-config'
    ConfigTarget|contains: 'peer-address'
  filter_known_peers:
    SourceIP|cidr:
      - '10.0.0.0/8'       # adjust to your known management subnets
      - '192.168.0.0/16'
  condition: selection and not filter_known_peers
falsepositives:
  - Legitimate network provisioning from unexpected IPs
level: critical
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026-20182

Sigma — Palo Alto PAN-OS Portal Exploit Attempt

title: Palo Alto PAN-OS User-ID Portal Buffer Overflow Attempt
id: b7d4e921-3c8f-4b2a-a5d1-0f6e14c93a28
status: experimental
description: >
  Detects anomalous POST requests to the PAN-OS captive portal endpoint
  with oversized payloads consistent with CVE-2026-0300 exploitation.
logsource:
  product: palo_alto
  category: firewall
detection:
  selection:
    cs-method: 'POST'
    cs-uri-stem|contains: '/php/login.php'
    sc-status:
      - 500
      - 200
    cs-bytes|gt: 8192   # unusually large portal POST
  condition: selection
falsepositives:
  - Large file uploads through captive portal (rare)
level: high
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026-0300

Microsoft Sentinel KQL — SD-WAN Rogue Peer Activity

// Detect SD-WAN NETCONF sessions from unexpected sources
// Adjust KnownMgmtSubnets to match your environment
let KnownMgmtSubnets = dynamic(["10.10.1.0/24", "192.168.100.0/24"]);
CommonSecurityLog
| where DeviceVendor == "Cisco" and DeviceProduct contains "SD-WAN"
| where Activity contains "NETCONF" and AdditionalExtensions contains "peer-address"
| extend SourceSubnet = strcat(split(SourceIP, ".")[0], ".", split(SourceIP, ".")[1])
| where not (ipv4_is_in_range(SourceIP, KnownMgmtSubnets[0])
             or ipv4_is_in_range(SourceIP, KnownMgmtSubnets[1]))
| project TimeGenerated, SourceIP, DestinationIP, Activity, AdditionalExtensions
| sort by TimeGenerated desc

What to look for manually

Cisco SD-WAN:

Terminal window
# Check auth logs for unexpected privilege escalation
grep "high-privileged" /var/log/auth.log


# List current fabric peers — look for unfamiliar entries
show sdwan control connections
show sdwan bfd sessions


# Check NETCONF session history
show netconf-yang datastores

Palo Alto PAN-OS:

Terminal window
# Check system logs for portal errors or crashes
grep -i "captive\|user-id\|portal" /var/log/pan/system


# Show active management sessions
show admins all


# Check if User-ID portal is unnecessarily internet-facing
show interface management

What You Can Do Today

If you run Cisco Catalyst SD-WAN:

  1. Check your controller version immediately: 
    show version
  2. Apply Cisco’s security update — no complete workaround exists
  3. Restrict management interface access to trusted IP ranges only
  4. Audit current fabric peers against your known inventory: 
    show sdwan control connections state
  5. Review /var/log/auth.log for unexpected high-privilege sessions

If you run Palo Alto PAN-OS:

  1. Check your version against the affected list above
  2. If the User-ID portal is internet-facing and you don’t need it there — disable external access immediately:
    • Network → Zones → edit the external zone → remove User-ID from enabled interfaces
  3. Apply the PAN-OS update to a fixed version
  4. If you can’t patch immediately, restrict portal access to internal trusted zones only

Both:

  • Enable alerting on NETCONF operations from unexpected sources
  • Review your network device patching cadence — perimeter devices need the same update discipline as servers and endpoints

Mitigations

ActionCVEPriorityNotes
Patch Cisco SD-WAN Controller and ManagerCVE-2026-20182CriticalNo workaround — patch is the only fix
Restrict SD-WAN management to trusted IPsCVE-2026-20182HighReduces attack surface while patching
Patch PAN-OS to fixed versionCVE-2026-0300CriticalSee version table above
Disable User-ID portal if not neededCVE-2026-0300HighEliminates attack surface entirely
Restrict portal to internal zones onlyCVE-2026-0300HighCVSS drops from 9.3 to 8.7
Audit SD-WAN fabric peer listCVE-2026-20182HighDetect any rogue peers already added
Enable NETCONF operation loggingBothMediumVisibility into post-exploitation activity
Network segmentation for management planeBothMediumLimits reachability of management interfaces

The hard truth: most organizations will patch endpoints within hours of a critical CVE. Network devices running the same vulnerable firmware for months is the norm, not the exception. These two vulnerabilities exist precisely because that assumption held — until now.

Sources