Skip to content

Cisco Catalyst SD-WAN Controller: Critical Authentication Vulnerability Actively Exploited

In a nutshell: Cisco patches critical authentication vulnerability (CVE-2026-20182, CVSS 10.0) in SD-WAN Controller that is already being actively exploited. Unpatched systems allow unauthenticated attackers admin access and control of the entire SD-WAN infrastructure.

Cisco has released security patches for a critical authentication vulnerability (CVE-2026-20182) in the Catalyst SD-WAN Controller. The vulnerability with a maximum CVSS score of 10.0 is already being exploited in targeted attacks and enables unauthenticated attackers to gain admin access.

The security flaw is located in the peering authentication process of the Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and the Catalyst SD-WAN Manager (formerly SD-WAN vManage). An unauthenticated attacker can bypass authentication and gain administrator access to affected systems.

The root cause lies in a flaw in the peering authentication mechanism that is triggered by specially crafted requests. When successfully exploited, attackers can authenticate as a privileged internal user and compromise the entire SD-WAN infrastructure via NETCONF access.

On-premise implementations, Cisco SD-WAN Cloud Pro, Cisco SD-WAN Cloud (Cisco’s managed offering), and Cisco SD-WAN for Government (FedRAMP) are affected. According to security researchers at Rapid7, who discovered the vulnerability, CVE-2026-20182 is similar to the previous critical authentication vulnerability CVE-2026-20127. The new vulnerability affects the vdaemon service over DTLS (UDP port 12346) and, according to researchers, has been actively exploited by threat group UAT-8616 since at least 2023.

Share on: