Cisco Catalyst SD-WAN Controller Authentication Bypass Exploited in Limited Attacks

TL;DR Cisco released patches for CVE-2026-20182, a maximum-severity authentication bypass in Catalyst SD-WAN Controller and Manager that allows unauthenticated remote attackers to gain administrative access. The flaw has been exploited in limited attacks since May 2026 and affects multiple deployment types. Internet-facing systems are at elevated risk.

What happened

Cisco disclosed a critical authentication bypass vulnerability in the peering authentication mechanism of Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Catalyst SD-WAN Manager (formerly SD-WAN vManage). The vulnerability, CVE-2026-20182, carries a CVSS score of 10.0.

The flaw stems from a malfunction in the peering authentication mechanism. An attacker can exploit it by sending crafted requests to an affected system. A successful exploit permits the attacker to log in to the Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. From this position, the attacker can access NETCONF and manipulate network configuration across the SD-WAN fabric.

The vulnerability affects the vdaemon service over DTLS on UDP port 12346. Rapid7 researchers discovered the flaw and noted that while it targets the same service vulnerable to CVE-2026-20127 (another critical authentication bypass with CVSS 10.0), CVE-2026-20182 is a distinct issue located in a similar part of the vdaemon networking stack—not a patch bypass of the earlier vulnerability.

Cisco became aware of limited exploitation of the flaw in May 2026. The company has released updates and urges customers to apply them immediately.

Why it matters

For infrastructure teams and SOC analysts in the region, this vulnerability represents a direct path to administrative compromise of SD-WAN fabric management. Once an attacker obtains high-privileged access, they can alter network configuration, potentially redirecting traffic, disrupting services, or establishing persistent access across branch and WAN connections. This is particularly acute for organisations running hybrid or multi-site architectures that depend on SD-WAN for traffic engineering and segmentation.

The fact that exploitation requires no authentication and no user interaction lowers the operational bar for an attacker. Any exposed management interface becomes an attack surface. The connection to UAT-8616, a threat actor that has exploited the related CVE-2026-20127 since at least 2023, suggests established adversary interest in this attack surface.

Affected systems and CVEs

• Cisco Catalyst SD-WAN Controller (On-Premises Deployment)
• Cisco Catalyst SD-WAN Manager (On-Premises Deployment)
• Cisco SD-WAN Cloud-Pro
• Cisco SD-WAN Cloud (Cisco Managed)
• Cisco SD-WAN for Government (FedRAMP)

CVE identifiers:

• CVE-2026-20182 (CVSS 10.0) — authentication bypass in vdaemon service over DTLS (UDP port 12346)
• CVE-2026-20127 (CVSS 10.0) — related critical authentication bypass exploited by UAT-8616 since at least 2023

What to do

• Apply the latest security updates released by Cisco immediately, particularly for systems accessible over the internet.
• Audit /var/log/auth.log for entries containing "Accepted publickey for vmanage-admin from unknown or unauthorized IP addresses."
• Monitor logs for suspicious peering events, including unauthorized peer connections at unexpected times, originating from unrecognized IP addresses, or involving device types inconsistent with your environment's architecture.
• Restrict internet accessibility of Catalyst SD-WAN Controller systems and ensure management interfaces are not exposed to untrusted networks.
• Audit peering logs for device types that do not align with your network topology.

Open questions

• The number of organisations or endpoints affected by active exploitation is not specified.
• Specific Cisco software versions impacted by CVE-2026-20182 are not detailed in the advisory.
• The geographic scope or targeted sectors of the limited exploitation campaign are unknown.
• It is unclear whether the threat actor UAT-8616 has also exploited CVE-2026-20182 or remains focused on CVE-2026-20127.
• Whether Cisco has released patches for all affected deployment types (On-Premises, Cloud-Pro, Managed Cloud, FedRAMP) is not confirmed in the advisory.

Source

Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access