top of page

Cisco Catalyst SD-WAN Controller Critical Authentication Bypass Under Active Exploitation for Admin Access

  • May 14
  • 3 min read

Key Findings


  • Critical authentication bypass vulnerability CVE-2026-20182 (CVSS 10.0) in Cisco Catalyst SD-WAN Controller actively exploited in limited attacks since May 2026

  • Vulnerability allows unauthenticated remote attackers to gain administrative privileges and manipulate SD-WAN fabric network configurations

  • CISA added the flaw to Known Exploited Vulnerabilities catalog with a May 17, 2026 deadline for federal agencies to remediate

  • The vulnerability affects the vdaemon service over DTLS on UDP port 12346, the same service vulnerable to the previously exploited CVE-2026-20127

  • Exploitation enables attackers to inject SSH keys and access NETCONF services as the high-privileged vmanage-admin account


Background


Cisco discovered and disclosed a maximum-severity flaw in its Catalyst SD-WAN Controller, formerly known as SD-WAN vSmart, and Catalyst SD-WAN Manager, formerly SD-WAN vManage. The vulnerability stems from a malfunction in the peering authentication mechanism that controls how network devices verify each other's identity before establishing connections. SD-WAN technology is critical infrastructure used by enterprises and government agencies to manage wide-area networks, making this flaw particularly concerning.


Technical Details of the Vulnerability


The vulnerability exists in the control connection handshaking and peering authentication processes. An attacker can send specially crafted requests to an affected system that bypass authentication validation due to improper error handling. The flaw affects the vdaemon service running over DTLS, a secure UDP protocol typically used on port 12346.


Upon successful exploitation, an attacker gains the ability to log in as an internal high-privileged non-root account called vmanage-admin. This account provides access to the NETCONF service, which runs over SSH on TCP port 830 and allows direct manipulation of network configurations across the entire SD-WAN fabric.


Relationship to Prior Vulnerabilities


Rapid7 researchers discovered that CVE-2026-20182 shares similarities with the previously exploited CVE-2026-20127, another critical authentication bypass affecting the same vdaemon service. However, this is not a patch bypass of the earlier flaw. Instead, it represents a different vulnerability in a similar part of the networking stack that achieves the same end result: remote unauthenticated access with administrative capabilities.


The earlier CVE-2026-20127 has been exploited by threat actor UAT-8616 since at least 2023, demonstrating that attackers actively target this component of Cisco's SD-WAN infrastructure.


Affected Deployments


  • On-Premises Cisco SD-WAN deployments

  • Cisco SD-WAN Cloud-Pro

  • Cisco SD-WAN Cloud managed by Cisco

  • Cisco SD-WAN for Government under FedRAMP


Systems that expose these services to the internet face the highest risk of compromise.


Real-World Exploitation and Response


Cisco became aware of limited real-world exploitation of CVE-2026-20182 in May 2026 and immediately released patches. The U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog, establishing a deadline of May 17, 2026 for federal agencies to remediate the issue under Binding Operational Directive 22-01.


Cisco strongly urges all customers to apply available updates immediately, particularly those with internet-exposed systems or exposed ports.


Detection and Hunting Indicators


Organizations should review security logs for signs of exploitation. Specific indicators include entries in the "/var/log/auth.log" file showing accepted public key authentications for the vmanage-admin account from unknown or unauthorized IP addresses.


Additionally, suspicious peering events warrant investigation, particularly unauthorized peer connections occurring at unusual times or from unrecognized IP addresses. Device types inconsistent with the organization's network architecture may also signal compromise.


Attackers may inject their own public keys into the vmanage-admin account's authorized SSH keys file to maintain persistent access, making SSH key audits essential.


Recommendations


Organizations should prioritize patching all affected systems immediately. Beyond patching, teams should conduct comprehensive audits of authentication logs and peering events to determine if exploitation occurred. Those unable to patch immediately should restrict network access to these systems and implement additional monitoring of NETCONF and SSH activity on the affected ports.


Sources


  • https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.html

  • https://securityaffairs.com/192157/hacking/u-s-cisa-adds-a-flaw-in-cisco-catalyst-sd-wan-to-its-known-exploited-vulnerabilities-catalog.html

  • https://x.com/TheCyberSecHub/status/2054998842018541989

  • https://www.linkedin.com/pulse/cisco-warns-actively-exploited-critical-sd-wan-hbnxe

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page