Cisco Catalyst SD-WAN Controller Critical Authentication Bypass Under Active Exploitation for Admin Access
- May 14
- 3 min read
Key Findings
Critical authentication bypass vulnerability CVE-2026-20182 (CVSS 10.0) in Cisco Catalyst SD-WAN Controller actively exploited in limited attacks since May 2026
Vulnerability allows unauthenticated remote attackers to gain administrative privileges and manipulate SD-WAN fabric network configurations
CISA added the flaw to Known Exploited Vulnerabilities catalog with a May 17, 2026 deadline for federal agencies to remediate
The vulnerability affects the vdaemon service over DTLS on UDP port 12346, the same service vulnerable to the previously exploited CVE-2026-20127
Exploitation enables attackers to inject SSH keys and access NETCONF services as the high-privileged vmanage-admin account
Background
Cisco discovered and disclosed a maximum-severity flaw in its Catalyst SD-WAN Controller, formerly known as SD-WAN vSmart, and Catalyst SD-WAN Manager, formerly SD-WAN vManage. The vulnerability stems from a malfunction in the peering authentication mechanism that controls how network devices verify each other's identity before establishing connections. SD-WAN technology is critical infrastructure used by enterprises and government agencies to manage wide-area networks, making this flaw particularly concerning.
Technical Details of the Vulnerability
The vulnerability exists in the control connection handshaking and peering authentication processes. An attacker can send specially crafted requests to an affected system that bypass authentication validation due to improper error handling. The flaw affects the vdaemon service running over DTLS, a secure UDP protocol typically used on port 12346.
Upon successful exploitation, an attacker gains the ability to log in as an internal high-privileged non-root account called vmanage-admin. This account provides access to the NETCONF service, which runs over SSH on TCP port 830 and allows direct manipulation of network configurations across the entire SD-WAN fabric.
Relationship to Prior Vulnerabilities
Rapid7 researchers discovered that CVE-2026-20182 shares similarities with the previously exploited CVE-2026-20127, another critical authentication bypass affecting the same vdaemon service. However, this is not a patch bypass of the earlier flaw. Instead, it represents a different vulnerability in a similar part of the networking stack that achieves the same end result: remote unauthenticated access with administrative capabilities.
The earlier CVE-2026-20127 has been exploited by threat actor UAT-8616 since at least 2023, demonstrating that attackers actively target this component of Cisco's SD-WAN infrastructure.
Affected Deployments
On-Premises Cisco SD-WAN deployments
Cisco SD-WAN Cloud-Pro
Cisco SD-WAN Cloud managed by Cisco
Cisco SD-WAN for Government under FedRAMP
Systems that expose these services to the internet face the highest risk of compromise.
Real-World Exploitation and Response
Cisco became aware of limited real-world exploitation of CVE-2026-20182 in May 2026 and immediately released patches. The U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog, establishing a deadline of May 17, 2026 for federal agencies to remediate the issue under Binding Operational Directive 22-01.
Cisco strongly urges all customers to apply available updates immediately, particularly those with internet-exposed systems or exposed ports.
Detection and Hunting Indicators
Organizations should review security logs for signs of exploitation. Specific indicators include entries in the "/var/log/auth.log" file showing accepted public key authentications for the vmanage-admin account from unknown or unauthorized IP addresses.
Additionally, suspicious peering events warrant investigation, particularly unauthorized peer connections occurring at unusual times or from unrecognized IP addresses. Device types inconsistent with the organization's network architecture may also signal compromise.
Attackers may inject their own public keys into the vmanage-admin account's authorized SSH keys file to maintain persistent access, making SSH key audits essential.
Recommendations
Organizations should prioritize patching all affected systems immediately. Beyond patching, teams should conduct comprehensive audits of authentication logs and peering events to determine if exploitation occurred. Those unable to patch immediately should restrict network access to these systems and implement additional monitoring of NETCONF and SSH activity on the affected ports.
Sources
https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.html
https://securityaffairs.com/192157/hacking/u-s-cisa-adds-a-flaw-in-cisco-catalyst-sd-wan-to-its-known-exploited-vulnerabilities-catalog.html
https://x.com/TheCyberSecHub/status/2054998842018541989
https://www.linkedin.com/pulse/cisco-warns-actively-exploited-critical-sd-wan-hbnxe

Comments