Cisco has issued patches for a critical authentication bypass vulnerability in its Catalyst SD-WAN Controller that is already being exploited in limited real-world attacks. The flaw, tracked as CVE-2026-20182, has the maximum CVSS score of 10.0.
According to Cisco, the vulnerability exists in the peering authentication process of both the Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and the Catalyst SD-WAN Manager (formerly SD-WAN vManage). It allows an unauthenticated remote attacker to bypass authentication and gain administrative access to an affected system.
The root cause is a flaw in the peering authentication mechanism that can be triggered by sending specially crafted requests to the target. Successful exploitation enables an attacker to log in as a high-privileged internal (non-root) user account. From there, the attacker can abuse NETCONF access to manipulate the configuration of the entire SD-WAN fabric.
The vulnerability affects the following deployments: On-premise implementatie. Cisco SD-WAN Cloud-Pro. Cisco SD-WAN Cloud (Managed by Cisco) Cisco SD-WAN for Government (FedRAMP). According to Rapid7, the discoverer of CVE-2026-20182, this vulnerability is similar to CVE-201823-20127 (CVSS score: 10.0), a previous critical authentication bypass affecting the same component. This new authentication bypass flaw impacts the ‚vdaemon‘ service over DTLS (UDP port 12346)—the same service previously affected by CVE-2026-20127—and has reportedly been exploited by the threat actor UAT-8616 since at least 2023, according to Rapid7 researchers Jonah Burgess and Stephen Fewer. This new vulnerability is not a bypass of the CVE-2026-20127 patch.
The Hacker News