Cyber·Monitoring
Shai-Hulud Supply-Chain Attack Trojanizes 19 PyPI Packages
PyPI repository (global online service)· Global4 Jun
5 reportsPROPCYCAS
MediumAI Refreshed
ClosedMedium impactAI Generated
Cisco Catalyst SD-WAN Controller Critical Authentication Bypass Flaw Exploited in Zero-Day Attacks – May 2026
Occurred 14 May 2026·Detected 14 May 2026·
Global — affects Cisco Catalyst SD-WAN Controller deployments worldwide2 reportsEnded 29 May 2026
CyberPropertyCyberCasualty & Liability
Cisco has issued a warning regarding a critical authentication bypass vulnerability in its Catalyst SD-WAN Controller, tracked as CVE-2026-20182, which has been actively exploited in zero-day attacks. The flaw enables attackers to gain administrative privileges on compromised devices. The exploitation of SD-WAN infrastructure poses significant risks to enterprise and critical infrastructure networks globally, as SD-WAN controllers are widely deployed across corporate and government environments.
AI-generated from linked source reports. See our correction policy.
Impact verdict
Medium impact. MEDIUM: Admin recalibration. The event has a plausible London Market pathway, but the current evidence does not support HIGH: no confirmed market-moving insured loss, vessel total loss, major closure, quantified claims estimate, reinsurance trigger, or broad pricing/capacity response is evidenced.
View assessment methodologyHow we grade what we know -- Known · Reported · Uncertain. Methodology →
Intelligence ledger
Each line expands in place to its underlying sourced claim.
Known4 lines
Cisco has officially warned of the vulnerability CVE-2026-20182 affecting Catalyst SD-WAN Controllers.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
The flaw is classified as critical and involves an authentication bypass.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
The vulnerability has been actively exploited in zero-day attacks.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Exploitation allows attackers to gain administrative privileges on compromised devices.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Reported1 line
The attacks appear to have targeted SD-WAN infrastructure broadly, with global implications.▾
structured linereported
No separate sourced-claim record is available for this line yet.
Uncertain3 lines
The identity or attribution of the threat actors exploiting the zero-day is not confirmed in the source.▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
The full scope and number of affected organisations is not disclosed.▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether a patch or mitigation has been released is not confirmed from the source excerpt.▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Timeline
Status Change2 Jun 2026, 13:05
Lifecycle changed
monitoring → closed
Closure2 Jun 2026, 13:05
Event Closed
auto_closed_monitoring_timeout
Status Change29 May 2026, 05:30
Status changed to monitoring
Auto-transitioned: no updates for 6 hours
active → monitoring
Status Change28 May 2026, 22:36
Status changed to active
remediation: existing active criteria met
developing → active
De-escalation25 May 2026, 21:18
Impact changed
high → medium
Status Change18 May 2026, 10:54
Status changed to developing
Auto-promoted: multiple sources
Corroboration18 May 2026, 10:54
The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to apply a patch for an actively exploited vulnerability in Cisco SD-WAN systems by Sunday. The flaw allows an unauthenticated remote attacker to bypass authentication and gain administrative privileges on affected systems. Cisco released a patch on Thursday alongside an advisory disclosing the severity of the vulnerability. The directive signals active exploitation in the wild, raising concerns for critical infrastructure and enterprise network security.
Source: The Record (Cyber) (Trade Media) · View source
Initial Detection14 May 2026, 20:55
Initial Detection
Cisco has issued a warning regarding a critical authentication bypass vulnerability in its Catalyst SD-WAN Controller, tracked as CVE-2026-20182, which has been actively exploited in zero-day attacks. The flaw enables attackers to gain administrative privileges on compromised devices. The exploitation of SD-WAN infrastructure poses significant risks to enterprise and critical infrastructure networks globally, as SD-WAN controllers are widely deployed across corporate and government environments.
Cisco is warning that a critical Catalyst SD-WAN Controller authentication bypass flaw, tracked as CVE-2026-20182, was actively exploited in zero-day attacks that allowed attackers to gain administrative privileges on compromised devices.
Source: BleepingComputer (Trade Media) · View source
Lloyd's classifications
Tracking this kind of risk? Get an email when Cyber events escalate.
Get alerts