Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Home/CyberSecurity News/Cisco SD-WAN Controller Zero-Day Actively Exploited for Admin Access
CyberSecurity News

Cisco SD-WAN Controller Zero-Day Actively Exploited for Admin Access

Key Takeaways A critical zero-day vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager is under active exploitation. The flaw, tracked as CVE-2026-20182, allows unauthenticated remote...

Emy Elsamnoudy
Emy Elsamnoudy
May 15, 2026 4 Min Read
42 0

Key Takeaways

  • A critical zero-day vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager is under active exploitation.
  • The flaw, tracked as CVE-2026-20182, allows unauthenticated remote attackers to gain full administrative access.
  • The vulnerability affects all deployment types of Cisco SD-WAN and carries a maximum CVSS score of 10.0.
  • No workarounds exist; immediate patching to a fixed software release is the only remediation.

Cisco SD-WAN Controller Zero-Day Actively Exploited for Admin Access

A severe zero-day vulnerability impacting Cisco Catalyst SD-WAN Controller and SD-WAN Manager is being actively exploited in the wild, enabling unauthenticated remote attackers to completely bypass authentication and seize administrative control over enterprise network infrastructure. This critical flaw poses a significant risk to SD-WAN deployments across various environments, including on-premises, cloud-hosted, and government systems.

Table Of Content

  • Key Takeaways
  • Cisco SD-WAN Controller Zero-Day Actively Exploited for Admin Access
  • The Critical Flaw: CVE-2026-20182
  • Exploitation Chain and Persistent Access
  • Affected Products and Active Exploitation
  • Indicators of Compromise (IOCs)
  • What You Should Do

The Critical Flaw: CVE-2026-20182

Designated as CVE-2026-20182 and boasting a maximum CVSS score of 10.0, this vulnerability was uncovered by Stephen Fewer and Jonah Burgess, researchers at Rapid7 Labs. Their discovery occurred during an investigation into a separate, previously identified SD-WAN vulnerability (CVE-2026-20127). The newly identified flaw resides within the vdaemon service, which operates over DTLS on UDP port 12346 – the same control-plane peering service that was targeted in February 2026.

The root cause of the vulnerability is a logical flaw within the vbond_proc_challenge_ack() function. This function is responsible for performing device-type-specific certificate verification during the control connection handshake process. While the authentication logic correctly validates peers identifying as vSmart (type 3), vManage (type 5), and vEdge (type 1), it critically lacks any verification code for device type 2, known as vHub.

This oversight allows an attacker to send a CHALLENGE_ACK message, falsely claiming to be a vHub. By doing so, they bypass all certificate checks, leading to the unconditional setting of the peer authentication flag to true. Exploiting this vulnerability requires no valid credentials, no CA-signed certificate, and no prior knowledge of the target SD-WAN topology.

Exploitation Chain and Persistent Access

According to Rapid7 researchers, the exploit chain is remarkably straightforward: an attacker initiates a DTLS handshake using any self-signed certificate, receives a CHALLENGE message, then sends a CHALLENGE_ACK message with device type 2 (vHub). This action immediately sets the authentication flag. Subsequently, sending a Hello message allows the peer to transition to an “UP” state, establishing it as a fully trusted control-plane node.

Once authenticated, the attacker leverages the MSG_VMANAGE_TO_PEER message handler (vbond_proc_vmanage_to_peer()) to append attacker-controlled SSH public keys directly to the /home/vmanage-admin/.ssh/authorized_keys file. Crucially, this process lacks input sanitization, enabling the injection of malicious keys. This transforms a transient peering session into persistent, credential-independent SSH access to the NETCONF service on TCP port 830, under the highly privileged vmanage-admin account.

With access to the vmanage-admin account, an attacker can issue arbitrary NETCONF commands, allowing them to read and manipulate the running network configurations across the entire SD-WAN fabric. Rapid7 has developed a working Metasploit module demonstrating both the vHub authentication bypass and the key injection technique, with a public release scheduled for May 27, 2026.

Affected Products and Active Exploitation

CVE-2026-20182 impacts Cisco Catalyst SD-WAN Controller and SD-WAN Manager irrespective of their specific configuration. This includes all deployment types: On-Prem, SD-WAN Cloud-Pro, Cisco Managed Cloud, and SD-WAN for Government (FedRAMP). In May 2026, the Cisco Product Security Incident Response Team (PSIRT) confirmed that the vulnerability is under limited active exploitation.

Indicators of Compromise (IOCs)

IOC Type Value / Description
Log File /var/log/auth.log
Suspicious Entry Accepted publickey for vmanage-admin from unknown IP
Injected File /home/vmanage-admin/.ssh/authorized_keys (unauthorized key appended)
Suspicious Port DTLS UDP/12346 (vdaemon), TCP/830 (NETCONF SSH)
CVE CVE-2026-20182
CVSS Score 10.0 (Critical)
CWE CWE-287: Improper Authentication

What You Should Do

Cisco has confirmed that no workarounds exist for this critical vulnerability, making patching the only effective remediation. Defenders should take the following immediate actions:

  • Patch Immediately: Upgrade all affected Cisco Catalyst SD-WAN Controller and SD-WAN Manager instances to a fixed software release. Key fixed releases include 20.12.5.4 / 20.12.6.2 / 20.12.7.1 for the 20.12 branch, 20.15.4.4 / 20.15.5.2 for 20.15, 20.18.2.2 for 20.18, and 26.1.1.1 for the 26.1 branch.
  • Migrate Unsupported Versions: If running releases older than 20.9, or versions 20.10, 20.11, 20.13, 20.14, and 20.16, which have reached end-of-software maintenance, migrate to a supported and fixed release without delay.
  • Preserve Forensic Evidence: Before initiating any upgrade, execute the request admin-tech command on all control components to ensure potential forensic evidence of compromise is preserved.
  • Audit Logs for Compromise: Regularly audit /var/log/auth.log for any entries indicating Accepted publickey for vmanage-admin originating from unauthorized or suspicious IP addresses.
  • Check Control Connections: From the Controller/Manager CLIs, run show control connections detail or show control connections-history detail. Look for instances where state:up is present alongside challenge-ack: 0, which signifies that a peer was authenticated without successfully completing the challenge handshake, an indicator of this specific bypass.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerabilityzero-day

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Chinese APT Exploits Critical Microsoft Exchange Vulnerability to Breach Energy Sector

Next Post

OpenAI confirms data breach from TanStack npm supply chain attack

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Automotive Manufacturer Boosts SOC Triage Speed, Closes Supplier Security Gap
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us