Cisco Catalyst SD-WAN Controller 0-Day Actively Exploited to Gain
A maximum-severity zero-day vulnerability in Cisco Catalyst SD-WAN Controller is actively exploited in the wild. This critical flaw allows unauthenticated remote attackers to fully bypass...
A maximum-severity zero-day vulnerability in Cisco Catalyst SD-WAN Controller is actively exploited in the wild. This critical flaw allows unauthenticated remote attackers to fully bypass authentication and seize administrative control of enterprise network infrastructure.
Tracked as CVE-2026-20182 with a CVSS score of 10.0, the flaw puts SD-WAN deployments across on-premises, cloud, and government environments at critical risk.
Cisco Catalyst SD-WAN Controller 0-Day
Discovered by Rapid7 Labs researchers Stephen Fewer and Jonah Burgess while investigating a prior SD-WAN vulnerability (CVE-2026-20127), the new flaw exists in the vdaemon service operating over DTLS on UDP port 12346, the same control-plane peering service exploited in February 2026.
The vulnerability is rooted in a logic gap within the vbond_proc_challenge_ack() function, which performs device-type-specific certificate verification during the control connection handshake.
The authentication logic validates peers that identify as vSmart (type 3), vManage (type 5), and vEdge (type 1) but contains no verification code for vHub (device type 2).
An attacker sending a CHALLENGE_ACK message claiming to be a vHub bypasses all certificate checks, causing the peer authentication flag to be set unconditionally to true.
No valid credentials, no CA-signed certificate, and no knowledge of the target SD-WAN topology are required for exploitation.
According to Rapid7 researchers, the full exploit chain is remarkably streamlined: DTLS handshake with any self-signed certificate → receive CHALLENGE → send CHALLENGE_ACK with device type 2 (vHub) → authentication flag set → send Hello message → peer transitions to UP state as a fully trusted control-plane node.
Once authenticated, the attacker abuses the MSG_VMANAGE_TO_PEER message handler (vbond_proc_vmanage_to_peer()), which appends attacker-controlled SSH public keys directly to /home/vmanage-admin/.ssh/authorized_keys — with no input sanitization.
This converts a transient peering session into persistent, credential-independent SSH access to the NETCONF service on TCP port 830 as the high-privileged vmanage-admin account.
Using this account, an attacker can issue arbitrary NETCONF commands to read and manipulate running network configurations across the entire SD-WAN fabric.
A working Metasploit module demonstrating the vHub authentication bypass and key injection has been developed by Rapid7 and is scheduled for full public release on May 27, 2026.
CVE-2026-20182 affects Cisco Catalyst SD-WAN Controller and SD-WAN Manager regardless of configuration, spanning all deployment types, including On-Prem, SD-WAN Cloud-Pro, Cisco Managed Cloud, and SD-WAN for Government (FedRAMP).
The Cisco Product Security Incident Response Team (PSIRT) confirmed limited active exploitation of the vulnerability in May 2026.
Defenders should audit /var/log/auth.log for entries showing Accepted publickey for vmanage-admin from unauthorized IP addresses.
Administrators should also run show control connections detail or show control connections-history detail from Controller/Manager CLIs, watching for state:up alongside challenge-ack: 0, which indicates a peer was authenticated without completing the challenge handshake.
Indicators of Compromise (IOC)
| IOC Type | Value / Description |
|---|---|
| Log File | /var/log/auth.log |
| Suspicious Entry | Accepted publickey for vmanage-admin from unknown IP |
| Injected File | /home/vmanage-admin/.ssh/authorized_keys (unauthorized key appended) |
| Suspicious Port | DTLS UDP/12346 (vdaemon), TCP/830 (NETCONF SSH) |
| CVE | CVE-2026-20182 |
| CVSS Score | 10.0 (Critical) |
| CWE | CWE-287: Improper Authentication |
Cisco has confirmed there are no workarounds for this vulnerability — patching is the only remediation.
Before upgrading, customers must run the request admin-tech command on all control components to preserve potential forensic evidence of compromise.
Key fixed releases include 20.12.5.4 / 20.12.6.2 / 20.12.7.1 for the 20.12 branch, 20.15.4.4 / 20.15.5.2 for 20.15, 20.18.2.2 for 20.18, and 26.1.1.1 for the 26.1 branch.
Releases earlier than 20.9, as well as versions 20.10, 20.11, 20.13, 20.14, and 20.16, have reached end-of-software maintenance and must migrate to a supported fixed release.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.