Full Report
Cisco has released updates to address a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller that it said has been exploited in limited attacks. The vulnerability, tracked as CVE-2026-20182, carries a CVSS score of 10.0. "A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly
Analysis Summary
# Vulnerability: Cisco Catalyst SD-WAN Controller Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2026-20182
- **CVSS Score:** 10.0 (Critical)
- **CWE:** Improper Authentication (Authentication Bypass)
## Affected Systems
- **Products:**
- Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart)
- Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage)
- **Versions:** Multiple versions are affected; users should consult the official Cisco advisory for the exhaustive list of fixed vs. vulnerable software releases.
- **Configurations:**
- On-Premise Deployments
- Cisco SD-WAN Cloud-Pro
- Cisco SD-WAN Cloud (Cisco Managed)
- Cisco SD-WAN for Government (FedRAMP)
- Systems with ports exposed to the internet are at significantly increased risk.
## Vulnerability Description
The flaw exists within the peering authentication mechanism of the `vdaemon` service, which operates over DTLS (UDP port 12346). Due to a malfunction in how the system validates peering requests, a remote, unauthenticated attacker can send crafted packets to the affected device. This allows the attacker to bypass authentication entirely and gain unauthorized access as an internal, high-privileged, non-root user.
## Exploitation
- **Status:** Exploited in the wild (Limited attacks reported as of May 2026)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to network configurations and administrative data)
- **Integrity:** High (Ability to manipulate network configurations via NETCONF)
- **Availability:** High (Potential to disrupt SD-WAN fabric operations)
## Remediation
### Patches
Cisco has released software updates to address this vulnerability. Organizations are urged to migrate to the following versions (or later) as specified in the vendor advisory:
- Consult the [Cisco Security Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW) for the specific mapping of affected versions to fixed releases.
### Workarounds
There are no documented workarounds that fully eliminate the risk. Mitigation is restricted to:
- Restricting access to UDP port 12346 to trusted peering IP addresses only.
- Ensuring controllers are not unnecessarily exposed to the public internet.
## Detection
- **Indicators of Compromise (IoCs):**
- Review `/var/log/auth.log` for entries stating: `Accepted publickey for vmanage-admin from [unknown/unauthorized IP]`.
- Monitor for suspicious peering events in system logs, particularly unauthorized peer connections from unrecognized IP addresses.
- Check for device types connecting to the fabric that are inconsistent with the established network architecture.
- **Detection methods:** Log aggregation through SIEM to alert on unauthorized administrative logins and peering anomalies.
## References
- Cisco Security Advisory: hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
- Rapid7 Research: hxxps://www[.]rapid7[.]com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/
- Original News Report: hxxps://thehackernews[.]com/2026/05/cisco-catalyst-sd-wan-controller-auth.html