Skip to content

Cisco Catalyst SD-WAN Controller: Critical Security Vulnerability Already Being Actively Exploited

Bottom line: Cisco patches critical authentication vulnerability (CVE-2026-20182) in Catalyst SD-WAN Controller with maximum CVSS score of 10.0. The vulnerability is already being actively exploited in targeted attacks and enables unauthenticated access for admin escalation.

Cisco has released security patches for a critical authentication vulnerability in its Catalyst SD-WAN Controller. The vulnerability is already being actively exploited in targeted attacks and allows attackers to gain admin access without authentication.

Cisco has released security patches for a critical authentication vulnerability in its Catalyst SD-WAN Controller that is already being actively exploited in targeted attacks. The vulnerability, designated CVE-2026-20182, receives the maximum CVSS score of 10.0 and affects both the Catalyst SD-WAN Controller and the Catalyst SD-WAN Manager.

The vulnerability lies in the faulty handling of the peering authentication process. By sending specially crafted requests, unauthenticated remote attackers can bypass authentication and log in as a privileged internal user. From there, they can modify the SD-WAN fabric network configuration via NETCONF access.

Security research firm Rapid7 identified the vulnerability in the “vdaemon” component, which communicates via DTLS on UDP port 12346. The threat group UAT-8616 reportedly exploited this vulnerability as early as 2023. While the new vulnerability is a separate discovery, it is often compared to the similar critical authentication vulnerability CVE-2026-20127, which also has a CVSS score of 10.0.

Affected deployments include on-premise deployments, Cisco SD-WAN Cloud Pro, the cloud-managed variant, and Cisco SD-WAN for Government with FedRAMP support.

Share on: