Full Report
AL26-013 - Critical vulnerability affecting Cisco Catalyst SD-WAN - CVE-2026-20182
Analysis Summary
# Vulnerability: Critical Improper Authentication in Cisco Catalyst SD-WAN
## CVE Details
- **CVE ID:** CVE-2026-20182
- **CVSS Score:** Critical (Numerical score not specified in text, but categorized as "Critical")
- **CWE:** CWE-287 (Improper Authentication)
## Affected Systems
- **Products:**
- Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart)
- Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage)
- **Versions:**
- Versions earlier than 20.9
- Versions 20.9, 20.10, 20.11, 20.12, 20.13, 20.14, 20.15, 20.16, 20.18, and 26.1
- **Configurations:** Affects all deployment types (On-Prem, Cloud-Pro, Cisco Managed, and FedRAMP). Vulnerable regardless of specific device configuration, especially if accessible from the internet.
## Vulnerability Description
This flaw exists in the peering authentication process of the SD-WAN Controller and Manager. It allows an unauthenticated, remote attacker to bypass standard security checks, potentially leading to unauthorized privilege escalation. Attackers can gain administrative or root-level access to the affected systems.
## Exploitation
- **Status:** **Active exploitation reported.** Incidents include unauthorized SSH key insertion and NETCONF configuration modifications.
- **Complexity:** Not explicitly stated (implied Low given remote unauthenticated bypass).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Administrative access to SD-WAN networks)
- **Integrity:** High (Modification of system configurations and persistence mechanisms)
- **Availability:** High (Full administrative control over network infrastructure)
## Remediation
### Patches
Organizations should migrate to the following fixed releases or later:
- **20.9:** 20.9.9.1
- **20.10 / 20.11:** 20.12.7.1
- **20.12:** 20.12.5.4, 20.12.6.2, or 20.12.7.1
- **20.13 / 20.14:** 20.15.5.2
- **20.15:** 20.15.4.4 or 20.15.5.2
- **20.16 / 20.18:** 20.18.2.2
- **26.1:** 26.1.1.1
### Workarounds
The provided text does not list specific manual workarounds; immediate patching is recommended as the primary mitigation.
## Detection
- **Indicators of Compromise:**
- Unauthorized SSH keys added to the system.
- Unexpected modifications to NETCONF configurations.
- Evidence of privilege escalation to root.
- **Detection methods:** Monitor administrative logs for unusual peering requests or unauthorized configuration changes. Use Cisco-provided remediation guides to verify system integrity.
## References
- Cisco Security Advisory: [https://sec.cloudapps.cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v]
- Canadian Centre for Cyber Security Alert: [https://www.cyber.gc[.]ca/en/alerts-advisories/al26-013-critical-vulnerability-affecting-cisco-catalyst-sd-wan-cve-2026-20182]
- Mitre CWE-287: [https://cwe.mitre[.]org/data/definitions/287.html]
- CVE Record: [https://www.cve[.]org/CVERecord?id=CVE-2026-20182]