Cisco has launched updates to deal with a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller that it stated has been exploited in restricted assaults.
The vulnerability, tracked as CVE-2026-20182, carries a CVSS rating of 10.0.
“A vulnerability within the peering authentication in Cisco Catalyst SD-WAN Controller, previously SD-WAN vSmart, and Cisco Catalyst SD-WAN Supervisor, previously SD-WAN vManage, may permit an unauthenticated, distant attacker to bypass authentication and procure administrative privileges on an affected system,” Cisco stated.
The networking gear main stated the flaw stems from a malfunction of the peering authentication mechanism, which an attacker may exploit by sending crafted requests to the affected system.
A profitable exploit may allow the attacker to log in to the Cisco Catalyst SD-WAN Controller as an inner, high-privileged, non-root person account, after which weaponize it to entry NETCONF and manipulate community configuration for the SD-WAN cloth..
The vulnerability impacts the next deployments –
- On-Prem Deployment
- Cisco SD-WAN Cloud-Professional
- Cisco SD-WAN Cloud (Cisco Managed)
- Cisco SD-WAN for Authorities (FedRAMP)
In accordance with Rapid7, which found CVE-2026-20182, the shortcoming has its echoes in CVE-2026-20127 (CVSS rating: 10.0), one other vital authentication bypass impacting the identical part. The latter is claimed to have been exploited by a menace actor known as UAT-8616 since at the least 2023.
“This new authentication bypass vulnerability impacts the ‘vdaemon’ service over DTLS (UDP port 12346), which is identical service that was susceptible to CVE-2026-20127,” Rapid7 researchers Jonah Burgess and Stephen Fewer stated. “The brand new vulnerability isn’t a patch bypass of CVE-2026-20127. It’s a completely different situation situated in an analogous a part of the ‘vdaemon’ networking stack.”
That stated, the top outcome is identical: a distant unauthenticated attacker can abuse CVE-2026-20182 to change into an authenticated peer of the goal equipment and perform privileged operations.
Cisco, in its advisory, famous that it grew to become conscious of “restricted exploitation” of the flaw in Might 2026, urging clients to use the most recent updates as quickly as doable.
The corporate additionally stated Catalyst SD-WAN Controller techniques which can be accessible over the web and which have ports uncovered are at elevated danger of compromise. It is recommending clients to audit the “/var/log/auth.log” file for entries associated to Accepted publickey for vmanage-admin from unknown or unauthorized IP addresses.
One other indicator is the presence of suspicious peering occasions within the logs, together with unauthorized peer connections that happen at sudden instances and originate from unrecognized IP addresses, or contain system varieties which can be inconsistent with the atmosphere’s structure.
