CVE-2026-20182 – Cisco Catalyst SD-WAN Auth Bypass to KEV

Overview

CVE-2026-20182 carries a CVSSv3.1 score of 10.0 (Critical) and is classified under CWE-287: Improper Authentication. The flaw affects the Cisco Catalyst SD-WAN Controller (formerly vSmart), which serves as the central control plane of Cisco’s SD-WAN overlay fabric.

The vulnerability was discovered by Rapid7 while researchers were investigating CVE-2026-20127, another CVSS 10.0 authentication bypass in the same component that was being actively exploited in the wild by threat actor UAT-8616.

Vulnerability Details

The flaw exists in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager (formerly vManage). The peering authentication mechanism is not functioning correctly, allowing an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on the affected system.

The vulnerability specifically affects the vdaemon service running over DTLS on UDP port 12346 — the control-plane peering port used for inter-controller and controller-to-edge communication. This service carries Overlay Management Protocol (OMP) messages including route advertisements, Transport Location (TLOC) tables, and peer state — essentially, the entire SD-WAN overlay routing fabric.

Root cause: The vulnerable code section handles peer certificate validation. The logic contains explicit authentication checks for known pairing combinations (vSmart-to-vSmart, vManage-to-vSmart), but critically has no defined logic or authentication checks if the remote device claims to be a vHub. This causes the targeted appliance to skip certificate verification entirely for the incoming request and register the attacker-controlled device as a legitimate peer.

Despite sharing the same affected service as CVE-2026-20127, this is not a patch bypass. It is a distinct issue located in a similar section of the vdaemon networking stack.

Impact

Successful exploitation allows an attacker to log in to the Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account, and then use that access to reach NETCONF and manipulate network configurations across the entire SD-WAN fabric.

Post-compromise actions observed in the wild include:
Adding SSH keys, modifying NETCONF configurations, and escalating to root privileges.

Affected Products

CVE-2026-20182 impacts Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager in on-premises and SD-WAN Cloud deployments.

Active Exploitation & Threat Actor Attribution

Cisco Talos is tracking active exploitation of CVE-2026-20182 and clusters this activity under UAT-8616 with high confidence — the same highly sophisticated threat actor that previously exploited CVE-2026-20127. UAT-8616’s infrastructure overlaps with an Operational Relay Box (ORB) network.

Cisco noted it became aware of limited exploitation in May 2026 and is urging customers to review logs from any internet-exposed Catalyst SD-WAN Controller systems for unauthorized access or peering events.

Additionally, Talos is also tracking a separate set of threat actors — distinct from UAT-8616 — exploiting a different chain of SD-WAN vulnerabilities (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) beginning March 2026. Multiple post-exploitation tooling clusters have been identified, including deployments of Godzilla webshell, AdaptixC2, Sliver C2, XMRig miners, the KScan asset mapping tool, a NimPlant-based Nim backdoor, and a credential stealer targeting JWT key chunks and admin hashdumps.

KEV Status

CISA has added CVE-2026-20182 to the Known Exploited Vulnerabilities catalog, ordering federal agencies to patch affected devices by May 17, 2026.

Detection Guidance

Review logs for:

Unexpected or unauthorized SD-WAN peer connections on UDP 12346
New or unrecognized SSH keys added to vmanage-admin authorized_keys
NETCONF configuration changes not initiated by authorized administrators
Unusual outbound connections from SD-WAN controllers to unknown infrastructure
Presence of Godzilla webshell artifacts, Sliver/AdaptixC2 beacons, or XMRig processes

Organizations should inventory and audit expected peer networks within SD-WAN infrastructure and review Cisco’s SD-WAN hardening guide to lock SD-WAN controller peering services down to known and authorized peer networks.

Remediation

Cisco strongly recommends upgrading to a fixed software release, as this is the only way to fully remediate CVE-2026-20182. No workarounds exist.

Affected organizations that cannot immediately patch should ensure strict network access controls are in place around SD-WAN controllers and check audit logs for signs of compromise.

Restrict access to SD-WAN controller and management planes to a dedicated administrative network segment and ensure DTLS port 12346 is not exposed to untrusted networks.

References