ThreatLevelBeta
Emergency Fix

CVE-2026-20182

Authentication Bypass in Cisco Catalyst SD-WAN Controller and Manager
Loading...

Summary

Cisco Catalyst SD-WAN Controller and Manager’s vdaemon DTLS control-plane handshake fails to verify a peer’s claimed device type. An unauthenticated remote attacker can send crafted DTLS requests on UDP 12346, be accepted as a trusted peer, inject an SSH key for vmanage-admin, and then use NETCONF over SSH on TCP 830 to issue privileged configuration commands. Cisco says the flaw affects all deployment types and has seen limited in-the-wild exploitation.

Why Emergency Fix?

6/6
No authentication required
Mixed internet / internal deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
Authentication Bypass
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
No
Impact

Gain administrative control of the SD-WAN controller, inject SSH keys, and alter network configuration.

Full System Compromise
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process
1

The attacker sends crafted DTLS control-connection requests to vdaemon on UDP

2

1

3

2

4

3

5

4

6

If the peer admission logic is bypassed, the attacker is treated as a trusted SD-WAN peer and can proceed with privileged actions on the controller or manager. From there, the attacker can add an SSH public key for vmanage-admin, connect over SSH, and use NETCONF to issue configuration commands that alter the SD-WAN fabric.

Detection Resources
Manual Detection
cisco.comcisco.com
2
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Cisco
ProductAffected Versions
Cisco Catalyst SD-WAN ControllerAll versions prior to Cisco's fixed releases listed in the advisory.
Cisco Catalyst SD-WAN ManagerAll versions prior to Cisco's fixed releases listed in the advisory.
Description

Central control-plane and management software used to orchestrate Cisco SD-WAN peers, routing policy, and branch connectivity from a single controller and manager.

Deployment:Mixed (internet/internal)
|
Protocol:DTLS
|
Ports:12346, 22, 830
Affected Componentvdaemon DTLS peering authentication and CHALLENGE_ACK handling for control connections.

vdaemon DTLS peering authentication and CHALLENGE_ACK handling for control connections.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Upgrade Cisco Catalyst SD-WAN Controller/Manager to the first fixed release for your train (for example 20.9.9.1, 20.12.5.4/20.12.6.2/20.12.7.1, 20.15.4.4/20.15.5.2, 20.18.2.2, or 26.1.1.1; Cisco also fixed cloud-managed 20.15.506).

Upgrade Cisco Catalyst SD-WAN Controller/Manager to the first fixed release for your train (for example 20.9.9.1, 20.12.5.4/20.12.6.2/20.12.7.1, 20.15.4.4/20.15.5.2, 20.18.2.2, or 26.1.1.1; Cisco also fixed cloud-managed 20.15.506).

www.cisco.com
Threat Intelligence
EPSS data unavailable
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
blog.talosintelligence.com
Threat Actors1
UAT-8616

highly sophisticated cyber threat actor targeting SD-WAN controllers and critical infrastructure

Detection Rules2
Other
Control connection peering events: flag state:up sessions with challenge-ack:0, especially unexpected vmanage peers or source IPs.
Other
auth.log: alert on 'Accepted publickey for vmanage-admin' from unknown or unauthorized IP addresses.

NVD Data

Published: Loading...Modified: Loading...

Description Summary

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.  A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

CVSS Base Score

10.0
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-287 Improper Authentication
|
NVD:CVE-2026-20182
|
Version From:
|
Version Upto:20.9.9.1, 20.9.9.1

Affected Software (CPE) (4)

  • cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.7:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:sd-wan_vsmart_controller:20.12.7:*:*:*:*:*:*:*

Sources

6
SourceArticle
www.cisco.comCisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
www.cisco.comRemediate Catalyst SD-WAN Security Advisory - May 2026
blog.talosintelligence.comOngoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
www.rapid7.comCVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller
www.tenable.comCVE-2026-20182
www.cisa.govKnown Exploited Vulnerabilities Catalog

Priority History

Planned FixLoading...

Initial analysis

Emergency FixLoading...

Elevated — all critical conditions met