Cisco has released an update that addresses a maximum severity authentication bypass flaw in Catalyst SD-WAN controllers that it announced was exploited in a limited attack.
This vulnerability is tracked as CVE-2026-20182 and has a CVSS score of 10.0.
“A vulnerability in peering authentication for Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) could allow an unauthenticated, remote attacker to bypass authentication and gain administrative privileges on an affected system,” Cisco said.
The networking equipment giant said the flaw is due to a malfunction in the peering authentication mechanism and could be exploited by an attacker by sending a crafted request to an affected system.
A successful exploit could allow the attacker to log in to a Cisco Catalyst SD-WAN controller as an internal, highly privileged non-root user account and use it as a weapon to access NETCONF and manipulate network settings in the SD-WAN fabric.
This vulnerability affects the following deployments:
On-premises deployments Cisco SD-WAN Cloud-Pro Cisco SD-WAN Cloud (Cisco Managed) Cisco SD-WAN for Government (FedRAMP)
According to Rapid7, which discovered CVE-2026-20182, this flaw is also reflected in another critical authentication bypass that affects the same component, CVE-2026-20127 (CVSS score: 10.0). The latter has reportedly been exploited by a threat actor known as UAT-8616 since at least 2023.
“This new authentication bypass vulnerability affects the ‘vdaemon’ service (UDP port 12346) over DTLS, the same service that was vulnerable to CVE-2026-20127,” said Rapid7 researchers Jonah Burgess and Stephen Fewer. “The new vulnerability is not a patch bypass for CVE-2026-20127. It is a separate issue in a similar part of the ‘vdaemon’ network stack.”
However, the end result is the same. CVE-2026-20182 could allow a remote unauthenticated attacker to become an authenticated peer of a target appliance and perform privileged operations.
In an advisory, Cisco said it became aware of “limited exploitation” of the flaw in May 2026 and urged customers to apply the latest update as soon as possible.
The company also said Catalyst SD-WAN controller systems that are accessible over the internet and have exposed ports are at high risk of being compromised. Customers are encouraged to audit the “/var/log/auth.log” file for entries related to accepted public keys for vmanage-admin from unknown or unauthorized IP addresses.
Another indicator is the presence of suspicious peering events in the logs. This includes unauthorized peer connections that occur at unexpected times, originate from unrecognized IP addresses, or involve device types that are inconsistent with the environment’s architecture.
Source link
