Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wild1 public exploit

Authentication Bypass in Cisco Catalyst SD-WAN Controller and Manager

CVE-2026-20182CWE-287· Improper Authentication

CVE-2026-20182 is a critical improper authentication vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). The flaw is in the control-connection peering authentication/handshake implemented by the vdaemon service over DTLS on UDP/12346. Public reporting indicates the vulnerable logic is in vbond_proc_challenge_ack(), where a peer that identifies itself as a vHub (device_type = 2) can bypass the certificate and trust verification normally applied to other peer types. As a result, an unauthenticated remote attacker can complete the control-plane handshake with crafted requests, be incorrectly marked as an authenticated peer, and log in as an internal high-privileged non-root account. Cisco states that successful exploitation exposes NETCONF access, enabling manipulation of SD-WAN fabric configuration.

Share:
Stay ahead

Get ahead of vulnerabilities like this

Mallory continuously monitors global threat intelligence and correlates it with your attack surface — so you know if you’re exposed before adversaries strike.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. For analysts and engineers who need to decide and keep moving.

Impact

What an attacker gets — and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected SD-WAN control infrastructure. Reported post-exploitation outcomes include becoming a trusted control-plane peer, access as a high-privileged internal non-root account, NETCONF access over SSH, manipulation of routing and SD-WAN fabric configuration, SSH key insertion for persistence, and in observed incidents subsequent escalation to root. Because the affected components manage the SD-WAN control plane, compromise can enable broad downstream control over traffic routing, policy enforcement, segmentation, and access across connected branches, data centers, and cloud edges.

Mitigation

If you can’t patch tonight, do this now.

Cisco states there are no workarounds or configuration-based mitigations that fully prevent exploitation. Interim defensive actions are therefore limited to exposure reduction and compromise assessment: urgently patch internet-exposed controllers/managers; review show control connections detail and show control connections-history detail for anomalous peering events; inspect /var/log/auth.log for unexpected 'Accepted publickey for vmanage-admin' entries; audit /home/vmanage-admin/.ssh/authorized_keys for unauthorized keys; preserve snapshots, logs, and admin-tech bundles before remediation; and apply Cisco SD-WAN hardening guidance. If compromise is suspected, rotate trust material and investigate rogue peers and unauthorized NETCONF changes.

Remediation

Patch, then assume compromise.

Upgrade all affected Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager deployments to Cisco-fixed software releases. Reported first fixed releases include 20.9.9.1 for 20.9, 20.12.7.1 for 20.10, 20.12.5.4 / 20.12.6.2 / 20.12.7.1 for 20.12, 20.15.5.2 for 20.13 and 20.14, 20.15.4.4 / 20.15.5.2 for 20.15, 20.18.2.2 for 20.16 and 20.18, and 26.1.1.1 for 26.1.1. Cisco SD-WAN Cloud (Cisco Managed) was addressed in release 20.15.506 with no customer action required for that managed offering. Cisco advises collecting forensic data before upgrading, including running the request admin-tech command on each SD-WAN control component, and opening a TAC case if investigative assistance is needed.
PUBLIC EXPLOITS

Exploits

No valid public exploits — Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView all

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Cisco SystemsCatalyst SD-WAN Controllerapplication
Cisco SystemsCatalyst SD-WAN Managerapplication
Cisco SystemsSd-Wan Vsmart Controllerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles against your asset inventory in the product.

ACTIVITY FEED

Recent activity

180 sources tracked across advisories, community write-ups, and news. Mallory keeps watching after this page renders.

180 SOURCESView all
resecurity blogNews
May 18, 2026
Resecurity | CVE-2026-20182: Unauthenticated Cisco SD-WAN Control-Plane Compromise via vHub Authentication Bypass

A critical authentication bypass vulnerability in Cisco Catalyst SD-WAN controllers' vdaemon service that allows a remote unauthenticated attacker to bypass certificate and trust validation during DTLS authentication by posing as a vHub device, potentially gaining trusted control-plane access and persistent privileged access.

Read more
scworldNews
May 15, 2026
10.0 Cisco Catalyst SD-WAN Controller bug added to CISA’s KEV list | news | SC Media

A critical CVSS 10.0 authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller that allows an unauthenticated remote attacker to bypass authentication and gain administrative control of the network control plane.

Read more
cyberscoopNews
May 15, 2026
Cisco zero-day under ongoing attack by persistent threat group | CyberScoop

A max-severity authentication bypass zero-day affecting Cisco Catalyst SD-WAN Controller and Manager that can let an attacker impersonate a trusted router and gain the highest level of administrative access.

Read more
socprime blogNews
May 15, 2026
CVE-2026-20182: Cisco SD-WAN Auth Bypass

A critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager caused by improper peering authentication during the control connection handshake, allowing unauthenticated remote attackers to gain administrative privileges and abuse controller functionality.

Read more
+19 more in the timeline from May 14, 2026 – May 15, 2026
bleeping computerNews
May 14, 2026
Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks

A critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager caused by a peering authentication mechanism not working properly, allowing crafted requests to log in as a high-privileged internal user and manipulate SD-WAN fabric configuration.

Read more
dark readingNews
May 14, 2026
Maximum Severity Cisco SD-WAN Bug Exploited in the Wild

A critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controllers that can allow unauthenticated attackers to gain administrative privileges via improper verification of vHub components in cloud deployments.

Read more
darkwebinformerNews
May 14, 2026
CVE-2026-20182: Critical Cisco SD-WAN Auth Bypass Under Active Exploitation

A critical improper authentication vulnerability in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager that allows an unauthenticated remote attacker to bypass authentication and gain high-privilege access, potentially manipulating SD-WAN fabric configuration.

Read more
sdxcentral cybersecurityNews
Oct 30, 2025
Cisco flags SD-WAN threat - SDxCentral

A Cisco Catalyst SD-WAN peering authentication vulnerability that allows a remote unauthenticated attacker to bypass login controls and gain administrative privileges.

Read more
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence12

Every observed campaign linking this CVE to a named adversary.

Associated malware6

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules — auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity147

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
NVD
nvd.nist.gov/vuln/detail/CVE-2026-20182
Vendor Advisory
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20182