CVE-2026-20182, Cisco, SD-WAN, Authentication Bypass, Active Exploitation, CISA KEV
Source Material: Source Material: Cisco Security Advisory | CISA KEV | Technology: Cisco Catalyst SD-WAN Controller, Cisco Catalyst SD-WAN Manager | Targeted Industries: Agnostic / Broadly Targeted
Executive Summary
On May 14, 2026, Cisco disclosed a critical vulnerability (CVE-2026-20182) impacting the peering authentication mechanisms within Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). This vulnerability carries a maximum CVSS score of 10.0 and allows an unauthenticated, remote attacker to bypass authentication controls to obtain administrative privileges on affected systems.
CISA has confirmed that CVE-2026-20182 is currently under active exploitation in the wild. Current intelligence reporting associates the exploitation activity with UAT-8616. UAT-8616 has a history of targeting SD-WAN infrastructure and has been observed leveraging Operational Relay Box (ORB) networks to carry out exploitation.
Successful exploitation of this vulnerability grants high-level privileges that allow an attacker to manipulate the SD-WAN fabric’s network configuration via NETCONF. Cisco has released fixed software updates addressing this flaw across all deployment types and immediate patching is recommended in order to prevent network compromise. There are no known workarounds available for this vulnerability.
Threat Overview and Strategic Impact
Threat Overview and Strategic Impact
CVE-2026-20182 is an unauthenticated, remote improper authentication vulnerability (CWE-287) residing in the vdaemon service, which operates over DTLS (UDP port 12346). The vulnerability stems from a distinct logic flaw during the control connection handshake. If an attacker spoofs the identity of a “vHub” (device type 2) during the CHALLENGE_ACK phase, the system lacks the corresponding verification code and completely bypasses certificate validation, automatically granting an authenticated state.
Once authenticated, the attacker can leverage a MSG_VMANAGE_TO_PEER message to inject a malicious SSH public key directly into the vmanage-admin account’s authorized_keys file. This grants direct SSH access to the NETCONF service as an internal, high-privileged, non-root user. Since SD-WAN controllers act as the central routing authority for enterprise WAN, NETCONF access enables threat actors to arbitrarily alter the network configuration of the entire SD-WAN fabric.
Threat intelligence reporting has identified a post-compromise tactic where attackers may execute a “version-downgrade”. By intentionally downgrading the controller’s software, threat actors expose the system to older, known vulnerabilities (such as CVE-2022-20775) to escalate their privileges from the vmanage-admin account to achieve full root access.
Security Hardening and Recommendations
There are no available workarounds or mitigations that address this vulnerability. Organizations operating affected software must prioritize upgrading to a fixed release immediately.
- Preserve Forensic Data: Prior to initiating any upgrades, administrators should issue the request admin-tech command from each of the control components in the SD-WAN deployment. This preserves logs needed to identify potential indicators of compromise.
- Deploy Official Patches: Upgrade affected Cisco Catalyst SD-WAN Controllers and Managers to the appropriate fixed software release (e.g., 20.9.9.1, 20.12.7.1, 20.15.5.2, or 26.1.1.1) corresponding to your deployment train as detailed in the Cisco advisory.
- Restrict Access: While no workaround exists for the vulnerability itself, standard hardening dictates restricting internet exposure for control components. Ensure management ports and the administrative web UI are accessible only from vetted, internal IP addresses.
Detection Strategy
Detections should focus on identifying anomalous peering events within SD-WAN logs, particularly those unexpectedly utilizing the vHub device type, and unauthorized access to the
vmanage-admin account. Analysts should audit authentication logs for successful public key authentications originating from unfamiliar external infrastructure. Network telemetry should also be evaluated for anomalous traffic over UDP port 12346 involving MSG_VMANAGE_TO_PEER (Message type 14).
How Deepwatch Protects Our Customers
Deepwatch Adversary Tactics & Intelligence (ATI) is analyzing available intelligence for further technical details and exploitation telemetry associated with CVE-2026-20182 and the UAT-8616 cluster. Our Guardians are continuously monitoring customer environments for signs of malicious or anomalous authentication activity related to Cisco SD-WAN appliances. Any identified suspicious activity undergoes immediate investigation in accordance with our response procedures.
Relevant Detections
Please visit Security Center to access the relevant detections for this activity.
Threat Hunting Leads
- Audit Authentication Logs: Review the /var/log/auth.log file for instances of Accepted publickey for vmanage-admin originating from unknown or unauthorized IP addresses.
- Identify Missing Challenge Acknowledgments: Execute show control connections detail or show control connections-history detail from the CLI. Hunt for unauthorized connections reporting a state up condition while simultaneously showing challenge-ack 0 in the Tx/Rx statistics.
- Validate Peering Events: Hunt for anomalous control-connection-state-change events within daemon logs (e.g., %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001). Pay special attention to peering events where the peer-type is registered as a vHub, especially if the environment architecture does not utilize vHub devices.
- Monitor for Unauthorized Downgrades: Hunt for unexplained software downgrades or system reboots, which may indicate an attempt to expose the system to older vulnerabilities like CVE-2022-20775 for root escalation.
Technical Artifacts
Please visit Security Center to access the associated technical artifacts.
Threat Object Mapping
Intrusion Set:
- UAT-8616 (Observed leveraging Operational Relay Box / ORB networks)
Attack Pattern (MITRE ATTGCK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Exploit Public-Facing Application | T1190 | Exploitation of CVE-2026-20182 on exposed Cisco Catalyst SD-WAN Controllers/Managers. |
| Credential Access | Steal Application Access Token | T1528 | Bypassing cryptographic peering handshakes to mint valid session states. |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | Elevating access to a high-privileged administrative account (non-root). |
| Impact | Network Denial of Service | T1498 | Manipulating the SD-WAN fabric routing via NETCONF to disrupt operations. |
- CVE-2026-20182: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
- CVE-2022-20775: Cisco SD-WAN Privilege Escalation (Leveraged as a post-compromise tactic)
Malware/Tool:
- Unknown
Additional Sources
- CVE-2026-20182
- Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
- Rapid7: Critical authentication bypass in Cisco Catalyst SD-WAN Controller
- SOCRadar: Cisco Catalyst SD-WAN Auth Bypass Added to CISA KEV
- Cisco Talos: Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
- The Hacker News: CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV
Share