Authentication Bypass in Cisco Catalyst SD-WAN Peering Authentication

Repository contains a single substantial Python exploit script, CVE-2026-20182.py, plus README, license, and dependency file. The script is a standalone operational exploit/assessment tool targeting CVE-2026-20182 in Cisco Catalyst SD-WAN Controller/Manager peering authentication. It is not part of a common exploit framework. Core capability: the script performs a custom DTLS-based control-plane handshake against Cisco SD-WAN vdaemon, targeting UDP/12346 by default. It receives a CHALLENGE, sends a crafted CHALLENGE_ACK while impersonating a vHub device type, and attempts to complete the Hello exchange to validate authentication bypass. In full mode, it escalates from bypass validation to exploitation by generating SSH keys, sending a VMANAGE_TO_PEER message to inject a public key, expecting REGISTER_TO_VMANAGE as protocol acknowledgment, and then verifying access as vmanage-admin over TCP/830 NETCONF and optionally TCP/22 SSH. The exploit supports multithreaded scanning, target parsing/merging, fallback domain/site presets ((1,100), (1,1), (0,0)), optional extra UDP ports, and live telemetry. Output is structured into tiered result files: confirmed SSH compromise, injection acknowledged only, and bypass only. Local artifacts include JSONL result files, a summary JSON, a commands text file, and generated private keys under sdwan_keys/. Based on the README and visible code constants, this is more than a detector: it contains exploitation logic and a usable payload path (SSH key injection and login verification). The likely operator workflow is to run check mode for broad screening, then full mode on shortlisted hosts to obtain confirmed authenticated access.

This repository contains two Python exploit implementations for CVE-2026-20182, an authentication bypass affecting Cisco Catalyst SD-WAN Controller/Manager vdaemon peering on UDP/12346. The repository structure is small: a top-level README and license, one standalone PoC at the root (cve-2026-20182-poc.py), and a more complete subdirectory CVE-2026-20182-portbuster1337 containing its own README and a second exploit script. The more credible and technically coherent exploit is CVE-2026-20182-portbuster1337/cve-2026-20182.py. It uses openssl s_client with DTLS 1.2 to connect to the target vdaemon service, waits for a CHALLENGE message, sends a crafted CHALLENGE_ACK claiming device_type=2 (vHub), checks for CHALLENGE_ACK_ACK as evidence of successful bypass, sends HELLO to move the peer into UP state, and then sends a MSG_VMANAGE_TO_PEER message containing an SSH public key buffer. If no key is supplied, it generates an RSA keypair locally and stores the private key at /tmp/cve-2026-20182_key. It can optionally verify post-exploitation access by opening an SSH-based NETCONF session to TCP/830 as vmanage-admin. This script is operational and aligned with the vulnerability description in the included documentation. The root-level cve-2026-20182-poc.py is also an exploit attempt, but it is less faithful to the documented protocol. It generates an SSH keypair, starts a local reverse-shell listener, creates a random AES key, sends an encrypted UDP payload intended to represent the vHub bypass, and then sends a second encrypted payload containing shell commands to append the SSH key to /home/vmanage-admin/.ssh/authorized_keys and launch a bash reverse shell to the attacker. It exposes attacker-controlled listener settings (default 0.0.0.0:4444). However, because the script invents its own AES-CBC wrapping without any demonstrated protocol negotiation or key exchange, it appears less reliable than the subdirectory exploit. Overall purpose: demonstrate exploitation of CVE-2026-20182 to gain unauthorized authenticated peer status in Cisco SD-WAN, then leverage that access for persistence and remote administration via injected SSH credentials; one variant additionally attempts interactive shell access via reverse shell. The repository is not part of a known exploit framework.

This repository is a small standalone exploit repo with 2 files: a README describing CVE-2026-20182 and one Python exploit script, cve-2026-20182.py. It is not tied to a major exploit framework. The Python script is the clear entry point and implements an end-to-end network exploit against Cisco Catalyst SD-WAN Controller/Manager systems. The exploit targets the vdaemon DTLS service on UDP/12346. It uses the local openssl CLI as a DTLS transport helper rather than implementing DTLS directly in Python. After the DTLS session is established, the script parses the first received vdaemon message and expects a CHALLENGE (type 8). It then sends a crafted CHALLENGE_ACK using device_type=2 (vHub), exploiting the vulnerable authentication logic described in the README: the vHub code path lacks certificate verification and causes the peer to be marked authenticated. The script checks for a CHALLENGE_ACK_ACK (type 10) as a success indicator, sends a HELLO (type 5) to move the peer into UP state, and finally sends a MSG_VMANAGE_TO_PEER (type 14) containing an attacker-controlled SSH public key. Operationally, the script supports two modes for the SSH key material: it can read an existing public key from a user-supplied file, or it can generate a fresh 2048-bit RSA keypair using the Python cryptography library. When generating a keypair, it stores the private key locally at /tmp/cve-2026-20182_key with mode 0600. The intended post-exploitation effect is persistence and remote access as the vmanage-admin user, with the README explicitly stating that the key is injected into /home/vmanage-admin/.ssh/authorized_keys. The script can optionally verify success by opening an SSH-based NETCONF session to TCP/830 and sending a NETCONF <hello> message. The README also documents ordinary SSH access on TCP/22. Overall, this is a real exploit rather than a detector. Its main capability is unauthenticated network compromise of vulnerable Cisco SD-WAN control infrastructure by abusing a protocol-level authentication bypass and converting that access into SSH/NETCONF access via key injection. The code is concise and functional, with hardcoded protocol constants and a fixed post-exploitation action, making it best classified as OPERATIONAL rather than fully weaponized.