Serial number:AV26–474
Date:May 15, 2026

On May 15, 2026, FreePBX published a security advisory to address a critical vulnerability in the following products:

• FreePBX Security-Reporting userman (FreePBX 16) – versions 16.0.45 and prior
• FreePBX Security-Reporting userman (FreePBX 17) – versions 17.0.7 and prior

The Cyber Centre encourages users and administrators to review the web links provided, apply the necessary updates and perform the suggested mitigations.

• Unauthenticated Use of Hard-Coded Credentials Vulnerability in Free PBX UCP Interface
• FreePBX Security Advisories

Serial number:AV26-473
Date: May 15, 2026

On May 14, 2026, Microsoft published a security advisory to address a critical vulnerability in the following products:

• Microsoft Exchange Server 2016 on premises versions (any update level)
• Microsoft Exchange Server 2019 on premises versions (any update level)
• Exchange Server Subscription Edition (SE) on premises versions (any update level)

Microsoft is aware of limited exploitation of CVE-2026-42897.

Update 1

On May 15, 2026, Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-42897 to their Known Exploited Vulnerabilities (KEV) Database.

The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates, when available.

• Microsoft Exchange Server Spoofing Vulnerability CVE-2026-42897 Security Vulnerability
• Exchange Emergency Mitigation (EM) service
• Exchange Team Blog - Addressing Exchange Server May 2026 vulnerability CVE-2026-42897
• CISA KEV: CVE-2026-42897

Number: AL26-012
Date: May 15, 2026

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

The Canadian Centre for Cyber Security (Cyber Centre) is aware of active exploitation^1Footnote2 of Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) devices ^Footnote3. In response to the Cisco security advisory released on May 14, 2026^Footnote4, the Cyber Centre issued AV26-471^Footnote5 on May 14, 2026.

Tracked as CVE-2026-20182 ^Footnote6, this vulnerability is a critical Improper authentication vulnerability (CWE-287)^Footnote7 affecting the peering authentication process of Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). It could allow an unauthenticated, remote attacker to bypass authentication, elevate privileges, and obtain administrative privileges on affected systems.

Cisco Catalyst SD-WAN Controller systems accessible from the internet, particularly those with exposed network ports, are at risk of exposure to compromise.

This vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, regardless of device configuration. The vulnerability affects all deployment types, including:

• On-Prem Deployment
• Cisco SD-WAN Cloud-Pro
• Cisco SD-WAN Cloud - Cisco Managed
• Cisco SD-WAN for Government - FedRAMP Environment

The Cyber Centre is aware of incidents involving CVE-2026-20182; with reported attempts of SSH keys being added, NETCONF configurations being modified and escalation to root privileges. This allowed multiple follow-up actions including administrative access, persistence and long-term access to SD-WAN networks.

Cisco has also noted the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 previously reported in February 2026 ^Footnote8. The Cyber Centre released AL26-004 ^Footnote9 at that time highlighting the issue.

Suggested actions

The Cyber Centre recommends that organizations upgrade affected Cisco Catalyst SD-WAN instances to a fixed version:

Cisco has also addressed this vulnerability in Cisco SD-WAN Cloud (Cisco Managed) Release 20.15.506, which is cloud based. No user action is required. Customers can determine the current remediation status or software version by using the Help function in the service GUI^Footnote4.

The Cyber Centre also recommends organizations to:

• Review the Cisco advisory^Footnote4 and the Talos Intelligence article^Footnote1 to identify if indicators of compromise are present on their devices.
• Cisco states to preserve possible indicators of compromise, customers should issue the request admin-tech command from each of the control components in the SD-WAN deployment before upgrading^{Footnote4Footnote10}.
• Collect artifacts, including virtual snapshots and logs from SD-WAN technology.
• Fully patch SD-WAN technology including those that are affected by CVE-2026-20182.
• Implement recommendations from the Cisco SD-WAN hardening guide^Footnote11.

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions with an emphasis on the following topics^Footnote12.

• Consolidating, monitoring, and defending Internet gateways
• Patch operating systems and applications
• Harden operating systems and applications
• Isolate web-facing applications

Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal or email contact@cyber.gc.ca.

References

Serial number: AV26-472
Date: May 14, 2026

On May 14, 2026, Tenable published a security advisory to address critical vulnerabilities in the following product:

• Tenable Network Monitor – versions prior to 6.5.4

The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.

• [R1] Tenable Network Monitor 6.5.4 Fixes Multiple Vulnerabilities
• Tenable Product Security Advisories

Serial number:AV26-471
Date: May 14, 2026

On May 14, 2026, Cisco published security advisories to address critical vulnerabilities in the following products:

• Cisco Catalyst SD-WAN Release – versions 20.9 and prior
• Cisco Catalyst SD-WAN Release – versions 20.10 and prior
• Cisco Catalyst SD-WAN Release – versions 20.11 and prior
• Cisco Catalyst SD-WAN Release – versions 20.12 and prior
• Cisco Catalyst SD-WAN Release – versions 20.13 and prior
• Cisco Catalyst SD-WAN Release – versions 20.14 and prior
• Cisco Catalyst SD-WAN Release – versions 20.15 and prior
• Cisco Catalyst SD-WAN Release – versions 20.16 and prior
• Cisco Catalyst SD-WAN Release – versions 20.18 and prior
• Cisco Catalyst SD-WAN Release – versions 26.1 and prior

Cisco is aware of limited exploitation of CVE-2026-20182.

On May 14, 2026, Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20182 to their Known Exploited Vulnerabilities (KEV) Database.

The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.

• Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
• Cisco Catalyst SD-WAN Manager Vulnerabilities
• Cisco Security Advisories
• CISA KEV: CVE-2026-20182

Serial number:AV26-470
Date: May 14, 2026

On May 14, 2026, PostgreSQL published a security advisory to address vulnerabilities in the following products:

• PostgreSQL – 14.x versions prior to 14.23
• PostgreSQL – 15.x versions prior to 15.18
• PostgreSQL – 16.x versions prior to 16.14
• PostgreSQL – 17.x versions prior to 17.10
• PostgreSQL – 18.x versions prior to 18.4

The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.

• PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 Released!
• PostgreSQL Security Information