Cisco addresses a critical authentication bypass vulnerability (CVE-2026-20182) in its Catalyst SD-WAN Controller that has been actively exploited in limited attacks, potentially allowing attackers to gain full administrative control of network infrastructure.
Cisco has released emergency updates to address a maximum-severity authentication bypass flaw in its Catalyst SD-WAN Controller that the company has confirmed is being actively exploited in the wild. The vulnerability, tracked as CVE-2026-20182, carries a CVSS score of 10.0 and poses a significant risk to organizations using the affected products.
"A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system," explained Cisco in its security advisory.
The flaw stems from a malfunction in the peering authentication mechanism that attackers can exploit by sending specially crafted requests to vulnerable systems. A successful compromise would allow an attacker to log in to the Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. From this position, the attacker could then access NETCONF interfaces and manipulate network configurations across the entire SD-WAN fabric.
Affected Platforms
The vulnerability impacts multiple deployment scenarios:
- On-Prem Deployment
- Cisco SD-WAN Cloud-Pro
- Cisco SD-WAN Cloud (Cisco Managed)
- Cisco SD-WAN for Government (FedRAMP)
According to researchers at Rapid7, who discovered the vulnerability, CVE-2026-20182 bears similarities to another critical authentication bypass affecting the same components. "This new authentication bypass vulnerability affects the 'vdaemon' service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026-20127," said Rapid7 researchers Jonah Burgess and Stephen Fewer. "The new vulnerability is not a patch bypass of CVE-2026-20127. It is a different issue located in a similar part of the 'vdaemon' networking stack."
Active Exploitation Confirmed
Cisco confirmed that it became aware of "limited exploitation" of the vulnerability in May 2026. The company has urged customers to apply the latest updates as soon as possible to protect their networks.
"The end result is the same: a remote unauthenticated attacker can abuse CVE-2026-20182 to become an authenticated peer of the target appliance and carry out privileged operations," the Rapid7 researchers noted.
Risk Assessment
Cisco emphasized that Catalyst SD-WAN Controller systems accessible over the internet with exposed ports face an increased risk of compromise. The vulnerability is particularly concerning for organizations with complex network architectures, as successful exploitation could lead to complete network compromise.
Detection and Mitigation
For organizations that cannot immediately apply patches, Cisco recommends monitoring system logs for potential indicators of compromise:
- Audit the "/var/log/auth.log" file for entries related to "Accepted publickey for vmanage-admin from unknown or unauthorized IP addresses"
- Monitor for suspicious peering events in logs, including:
- Unauthorized peer connections at unexpected times
- Connections originating from unrecognized IP addresses
- Peer connections involving device types inconsistent with the environment's architecture
Expert Recommendations
Security experts recommend immediate action for organizations using affected Cisco products:
- Prioritize patching systems as soon as possible
- Implement network segmentation to limit potential blast radius
- Restrict access to the vdaemon service (UDP port 12346) where possible
- Implement multi-factor authentication as an additional security layer
- Conduct thorough security assessments post-patching to ensure no persistence remains
"This vulnerability highlights the critical importance of timely patching for network infrastructure components," said security analyst Marcus Johnson. "SD-WAN controllers are central to modern network architectures, and compromise at this level can have cascading effects across an organization's entire digital infrastructure."
The discovery of this vulnerability comes amid increased targeting of network infrastructure by threat actors. Organizations should review their patch management processes and ensure that critical network components are updated promptly when security advisories are released.
For more information about the vulnerability and available updates, organizations should consult Cisco's official security advisory and the Rapid7 blog post detailing their findings.
Comments
Please log in or register to join the discussion