Cisco has issued patches for a critical authentication bypass vulnerability in its Catalyst SD-WAN Controller that has already been exploited in a small number of targeted attacks. The flaw, identified as CVE-2026-20182, carries the maximum CVSS score of 10.0.
According to Cisco, the issue lies in the peering authentication process within both the Catalyst SD-WAN Controller (previously known as SD-WAN vSmart) and the Catalyst SD-WAN Manager (formerly SD-WAN vManage). It allows an unauthenticated remote attacker to bypass authentication and gain administrative access to affected systems.
The vulnerability is caused by improper handling of the peering authentication mechanism. By sending specially crafted requests, an attacker can log in as a high-privileged internal non-root user. From there, they can leverage NETCONF access to modify the SD-WAN fabric’s network configuration.
The vulnerability affects the following deployments: On-Prem Deployment. Este es el Cisco SD-WAN Cloud Pro. Cisco SD-WAN Cloud (Cisco-managed) Cisco SD-WAN for Government (FedRAMP). According to Rapid7, which uncovered CVE-2026-20182, this vulnerability is similar to CVE-201823-20127 (CVSS score: 10.0), another critical authentication bypass affecting the same component. This new authentication bypass flaw impacts the ‚vdaemon‘ service over DTLS (UDP port 12346)—the same service previously affected by CVE-2026-20127—and has reportedly been exploited by the threat actor UAT-8616 since at least 2023, according to Rapid7 researchers Jonah Burgess and Stephen Fewer. The newly discovered vulnerability is unrelated to any bypass of CVE-2026-20127.
The Hacker News