ThreatLevelBeta
Emergency Fix

CVE-2026-20182

Authentication Bypass in Cisco Catalyst SD-WAN Controller and Manager
Loading...

Summary

Cisco Catalyst SD-WAN Controller and Manager’s vdaemon DTLS control-plane handshake fails to verify a peer’s claimed device type. An unauthenticated remote attacker can send crafted DTLS requests on UDP 12346, be accepted as a trusted peer, inject an SSH key for vmanage-admin, and then use NETCONF over SSH on TCP 830 to issue privileged configuration commands. Cisco says the flaw affects all deployment types and has seen limited in-the-wild exploitation.

Why Emergency Fix?

6/6
No authentication required
Mixed internet / internal deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
Authentication Bypass
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
rapid7.com
Impact

Gain administrative control of the SD-WAN controller, inject SSH keys, and alter network configuration.

Full System Compromise
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

The attacker sends crafted DTLS control-plane traffic to vdaemon on UDP 12346 and abuses the peering handshake so the target accepts the connection as a trusted SD-WAN peer. Once the bypass succeeds, the attacker can push an SSH public key for the vmanage-admin account, then authenticate to NETCONF over SSH on TCP 830 with that key. From there, the attacker can issue privileged configuration commands and take over the SD-WAN fabric.

Detection Resources
Manual Detection
cisco.comcisco.com
2
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Cisco
ProductAffected Versions
Cisco Catalyst SD-WAN ControllerAll versions earlier than Cisco's fixed releases for each supported train (20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.18.2.2, 26.1.1.1; SD-WAN Cloud earlier than 20.15.506)
Cisco Catalyst SD-WAN ManagerAll versions earlier than Cisco's fixed releases for each supported train (20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.18.2.2, 26.1.1.1; SD-WAN Cloud earlier than 20.15.506)
Description

Cisco software used to centrally orchestrate and manage SD-WAN controllers, routing policy, device onboarding, and branch connectivity across distributed networks.

Deployment:Mixed (internet/internal)
|
Protocol:DTLS
|
Ports:12346, 830
Affected Componentvdaemon DTLS control-plane peering authentication and CHALLENGE_ACK handling for control connections.

vdaemon DTLS control-plane peering authentication and CHALLENGE_ACK handling for control connections.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Upgrade all Cisco Catalyst SD-WAN control components to the nearest fixed release for your train: 20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.18.2.2, or 26.1.1.1. Cisco also notes SD-WAN Cloud fixed release 20.15.506.

Upgrade all Cisco Catalyst SD-WAN control components to the nearest fixed release for your train: 20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.18.2.2, or 26.1.1.1. Cisco also notes SD-WAN Cloud fixed release 20.15.506.

www.cisco.com
Threat Intelligence
EPSS Score77.3%

Probability of exploitation in the next 30 days

EPSS Percentile99%

Worse than 99% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
cisco.com
Threat Actors1
UAT-8616

highly sophisticated cyber threat actor targeting Cisco SD-WAN and critical infrastructure sectors

Detection Rules2
Snort
3:66482 Cisco SD-WAN self-signed DTLS client certificate connection attempt
Snort
3:66483 Cisco SD-WAN Controller authentication bypass attempt

NVD Data

Published: Loading...Modified: Loading...

Description Summary

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.  A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

CVSS Base Score

10.0
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-287 Improper Authentication
|
NVD:CVE-2026-20182
|
Version From:
|
Version Upto:20.9.9.1, 20.9.9.1

Affected Software (CPE) (4)

  • cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.7:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:*
  • cpe:2.3:a:cisco:sd-wan_vsmart_controller:20.12.7:*:*:*:*:*:*:*

Sources

7
SourceArticle
www.cisco.comCisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
www.cisco.comRemediate Catalyst SD-WAN Security Advisory - May 2026
blog.talosintelligence.comActive exploitation of Cisco Catalyst SD-WAN by UAT-8616
www.rapid7.comCVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller
www.rapid7.comCisco Catalyst SD-WAN Controller vHub Authentication Bypass
snort.orgTalos rules update for Cisco SD-WAN authentication bypass
www.tenable.comCisco SD-WAN active exploitation FAQ

Priority History

Planned FixLoading...

Initial analysis

Emergency FixLoading...

Elevated — all critical conditions met