A CVSS 10.0 vulnerability in Cisco Catalyst SD-WAN is the headline this week, and it deserves the severity designation. CVE-2026-20182 allows unauthenticated remote attackers to gain full administrative control of SD-WAN controllers — no credentials required, no prior access needed. CISA added it to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of May 17. If that deadline has passed and your organization has not patched, the question is the same one raised by last week’s Palo Alto CVE-2026-0300: not whether the scanning is happening, but whether it already succeeded.
Palo Alto’s second vulnerability this week, CVE-2026-0265, is a distinct problem from last week’s RCE. This is an authentication bypass in PAN-OS’s Cloud Authentication Service — the component organizations use for enterprise identity federation. When CAS is enabled and this vulnerability is present, remote attackers can bypass authentication entirely. Organizations that patched CVE-2026-0300 last week and considered Palo Alto remediation complete need to revisit that assessment.
Against this backdrop, the post-quantum infrastructure picture continues to mature. Cloudflare and AWS have deployed hybrid ML-KEM support for TLS 1.3 in production environments using the NIST FIPS 203 standard. This removes the “wait for production-ready implementations” objection from migration planning conversations. The tooling is available; the January 2027 CNSA 2.0 deadline for new NSS acquisitions is not waiting for the threat environment to settle.
The CISA vulnerability bulletin for the week of May 4 (sb26-131) cataloged the full scope of actively exploited CVEs across federal systems. The pattern across two consecutive weeks is clear: Palo Alto firewalls, Cisco SD-WAN controllers, and Cisco ASA/FTD stacks account for the majority of active exploitation targeting federal network perimeter infrastructure. These are not niche or legacy products — they are the standard-issue tools of federal network architecture.
Palo Alto’s internal AI scanning program, Mythos, found 75 vulnerabilities in their own products using GPT-5.5-class models over a matter of weeks. The significance is not the self-reported success — it is that the same AI-accelerated discovery capability is available to adversaries. The exploit window between discovery and deployment is compressing. Last week’s Intel Brief cited Zscaler’s ThreatLabz report documenting AI reducing exploit timelines from weeks to hours; Mythos confirms that capability is now being applied directly to the most widely deployed federal perimeter devices.
Federal contractors managing network infrastructure should leave this week with two action items: verify patch status on all Cisco SD-WAN and Palo Alto PAN-OS deployments, and begin treating the January 2027 CNSA 2.0 deadline as a current project milestone rather than a future planning item. Patching classical vulnerabilities buys time — it is not a substitute for migration.
Two consecutive weeks of critical Palo Alto and Cisco vulnerabilities on the same infrastructure federal contractors use for remote access and perimeter security. The CVE count matters less than the pattern — these platforms are being actively targeted. Patch status verification is not optional this month.