Provenance Record

Excellent structure (Overview / What We Know / Active Exploitation and Attribution / CISA's Three-Day Deadline / What We Don't Know). Technical, precise, neutral. Length appropriate for News (725 words). All inline citations point to the source that actually contains the claim — no compound-citation issues found.

{"source-0":{"url":"https://www.cisa.gov/news-events/alerts/2026/05/14/cisa-adds-one-known-exploited-vulnerability-catalog","snapshot":"source-0.html.gz","status":"CISA primary KEV alert (May 14). Verifies CVE-2026-20182 entry, 'Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability'."},"source-1":{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-20182","snapshot":"source-1.html.gz","status":"NVD primary entry. Verifies CVSS 10.0 base score, full vector string, Cisco as CNA."},"source-2":{"url":"https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/","snapshot":"source-2.html.gz","status":"Rapid7 technical analysis. Verifies: 'not a patch bypass / similar part of the vdaemon networking stack' verbatim, vHub device-type 'no verification code' analysis, 'become an authenticated peer' verbatim, NETCONF login path, full fixed-version table, CWE-287 classification."},"source-3":{"url":"https://thehackernews.com/2026/05/cisa-adds-cisco-sd-wan-cve-2026-20182.html","snapshot":"source-3.html.gz","status":"The Hacker News. Verifies: CISA description quote verbatim, May 17 FCEB deadline, 'add SSH keys, modify NETCONF configurations, and escalate to root privileges' Talos quote verbatim, ORB infrastructure overlap framing."},"source-4":{"url":"https://www.securityweek.com/cisco-patches-another-sd-wan-zero-day-the-sixth-exploited-in-2026/","snapshot":"source-4.html.gz","status":"SecurityWeek. Verifies: 'sixth' framing, UAT-8616 'highly sophisticated' + 'limited attacks' verbatim, full sibling-CVE list (20127, 20128, 20122, 20133, 2022-20775), 'three days' KEV deadline."},"source-5":{"url":"https://www.helpnetsecurity.com/2026/05/15/cisco-sd-wan-zero-day-cve-2026-20182/","snapshot":"source-5.html.gz","status":"Help Net Security. Verifies: port 12346 + UDP + DTLS framing for the vdaemon service, UAT-8616 attribution tying both CVEs together."}}

Exemplary cybersecurity submission with textbook Rule 9 discipline. CISA primary alert + NVD detail page + Rapid7 technical analysis all cited as primary publications. Every specific verified verbatim: CVE-2026-20182, CVSS 10.0, vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, CWE-287, May 14 disclosure, May 17 federal remediation deadline, full fixed-version list (20.9.9.1 / 20.12.5.4 / 20.12.6.2 / 20.12.7.1 / 20.15.4.4 / 20.15.5.2 / 20.18.2.2 / 26.1.1.1), 'vdaemon' service + UDP port 12346 + DTLS, vHub device type with 'no verification code' verbatim, 'not a patch bypass of CVE-2026-20127' + 'similar part of the vdaemon networking stack' verbatim, 'become an authenticated peer' verbatim, NETCONF post-exploit path, UAT-8616 attribution + 'highly sophisticated' + 'limited attacks' + 'add SSH keys, modify NETCONF configurations, and escalate to root privileges' verbatim, Operational Relay Box (ORB) framing, full sibling-CVE list (20127, 20128, 20122, 20133, 2022-20775), 'sixth SD-WAN flaw' framing, 'three days' KEV deadline. Internal cross-reference to 2026-02/28-cisco-sd-wan-zero-day-exploited-for-three-years-before-patch... verified to exist.