Cisco has released an update to address a maximum-severity authentication bypass flaw in the Catalyst SD-WAN controller that it says has been exploited in a limited number of attacks.
Vulnerability, tracked as CVE-2026-20182Maintains a CVSS score of 10.0.
“A vulnerability in peer authentication in the Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and the Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and gain administrative privileges,” Cisco said.
The networking equipment major said the flaw stems from a malfunction of the peering authentication mechanism, which an attacker could exploit by sending crafted requests to the affected system.
A successful exploit could allow an attacker to log into a Cisco Catalyst SD-WAN controller as an internal, high-privileged, non-root user account, and then weaponize it to access NETCONF and manipulate the network configuration for the SD-WAN fabric.
The vulnerability affects the following deployments –
- On-premises deployment
- Cisco SD-WAN Cloud-Pro
- Cisco SD-WAN Cloud (Cisco Managed)
- Cisco SD-WAN for Government (FedRAMP)
According to Rapid7, which discovered CVE-2026-20182, the flaw is echoed in CVE-2026-20127 (CVSS score: 10.0), another critical authentication bypass affecting the same component. It is said to have been exploited by a threat actor named UAT-8616 since at least 2023.
“This new authentication bypass vulnerability affects the ‘vdaemon’ service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026-20127,” said Rapid7 researchers Jonah Burgess and Stephen Fewer. “The new vulnerability is not a patch bypass of CVE-2026-20127. It is a separate issue located in the same part of the ‘vdaemon’ networking stack.”
As noted, the end result is the same: a remote unauthenticated attacker can abuse CVE-2026-20182 to impersonate an authenticated peer of the target device and execute privileged operations.
Cisco said in its advisory that it became aware of a “limited exploitation” of the flaw in May 2026, and urged customers to apply the latest updates as soon as possible.
The company also said that Catalyst SD-WAN controller systems that are accessible over the Internet and have open ports are at increased risk of compromise. It is advising customers to audit the “/var/log/auth.log” file for entries related to the publickey granted to vmanage-admin from an unknown or unauthorized IP address.
Another indicator is the presence of suspicious peering events in the logs, including unauthorized peer connections that occur at unexpected times and originate from unrecognized IP addresses, or involve device types that are incompatible with the architecture of the environment.
