Cisco SD-WAN Controller Zero-Day Actively Exploited for Admin Access
Key Takeaways A critical zero-day vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager is under active exploitation. The flaw, tracked as CVE-2026-20182, allows unauthenticated remote...
Key Takeaways
- A critical zero-day vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager is under active exploitation.
- The flaw, tracked as CVE-2026-20182, allows unauthenticated remote attackers to gain full administrative access.
- The vulnerability affects all deployment types of Cisco SD-WAN and carries a maximum CVSS score of 10.0.
- No workarounds exist; immediate patching to a fixed software release is the only remediation.
Cisco SD-WAN Controller Zero-Day Actively Exploited for Admin Access
A severe zero-day vulnerability impacting Cisco Catalyst SD-WAN Controller and SD-WAN Manager is being actively exploited in the wild, enabling unauthenticated remote attackers to completely bypass authentication and seize administrative control over enterprise network infrastructure. This critical flaw poses a significant risk to SD-WAN deployments across various environments, including on-premises, cloud-hosted, and government systems.
Table Of Content
The Critical Flaw: CVE-2026-20182
Designated as CVE-2026-20182 and boasting a maximum CVSS score of 10.0, this vulnerability was uncovered by Stephen Fewer and Jonah Burgess, researchers at Rapid7 Labs. Their discovery occurred during an investigation into a separate, previously identified SD-WAN vulnerability (CVE-2026-20127). The newly identified flaw resides within the vdaemon service, which operates over DTLS on UDP port 12346 – the same control-plane peering service that was targeted in February 2026.
The root cause of the vulnerability is a logical flaw within the vbond_proc_challenge_ack() function. This function is responsible for performing device-type-specific certificate verification during the control connection handshake process. While the authentication logic correctly validates peers identifying as vSmart (type 3), vManage (type 5), and vEdge (type 1), it critically lacks any verification code for device type 2, known as vHub.
This oversight allows an attacker to send a CHALLENGE_ACK message, falsely claiming to be a vHub. By doing so, they bypass all certificate checks, leading to the unconditional setting of the peer authentication flag to true. Exploiting this vulnerability requires no valid credentials, no CA-signed certificate, and no prior knowledge of the target SD-WAN topology.
Exploitation Chain and Persistent Access
According to Rapid7 researchers, the exploit chain is remarkably straightforward: an attacker initiates a DTLS handshake using any self-signed certificate, receives a CHALLENGE message, then sends a CHALLENGE_ACK message with device type 2 (vHub). This action immediately sets the authentication flag. Subsequently, sending a Hello message allows the peer to transition to an “UP” state, establishing it as a fully trusted control-plane node.
Once authenticated, the attacker leverages the MSG_VMANAGE_TO_PEER message handler (vbond_proc_vmanage_to_peer()) to append attacker-controlled SSH public keys directly to the /home/vmanage-admin/.ssh/authorized_keys file. Crucially, this process lacks input sanitization, enabling the injection of malicious keys. This transforms a transient peering session into persistent, credential-independent SSH access to the NETCONF service on TCP port 830, under the highly privileged vmanage-admin account.
With access to the vmanage-admin account, an attacker can issue arbitrary NETCONF commands, allowing them to read and manipulate the running network configurations across the entire SD-WAN fabric. Rapid7 has developed a working Metasploit module demonstrating both the vHub authentication bypass and the key injection technique, with a public release scheduled for May 27, 2026.
Affected Products and Active Exploitation
CVE-2026-20182 impacts Cisco Catalyst SD-WAN Controller and SD-WAN Manager irrespective of their specific configuration. This includes all deployment types: On-Prem, SD-WAN Cloud-Pro, Cisco Managed Cloud, and SD-WAN for Government (FedRAMP). In May 2026, the Cisco Product Security Incident Response Team (PSIRT) confirmed that the vulnerability is under limited active exploitation.
Indicators of Compromise (IOCs)
| IOC Type | Value / Description |
|---|---|
| Log File | /var/log/auth.log |
| Suspicious Entry | Accepted publickey for vmanage-admin from unknown IP |
| Injected File | /home/vmanage-admin/.ssh/authorized_keys (unauthorized key appended) |
| Suspicious Port | DTLS UDP/12346 (vdaemon), TCP/830 (NETCONF SSH) |
| CVE | CVE-2026-20182 |
| CVSS Score | 10.0 (Critical) |
| CWE | CWE-287: Improper Authentication |
What You Should Do
Cisco has confirmed that no workarounds exist for this critical vulnerability, making patching the only effective remediation. Defenders should take the following immediate actions:
- Patch Immediately: Upgrade all affected Cisco Catalyst SD-WAN Controller and SD-WAN Manager instances to a fixed software release. Key fixed releases include 20.12.5.4 / 20.12.6.2 / 20.12.7.1 for the 20.12 branch, 20.15.4.4 / 20.15.5.2 for 20.15, 20.18.2.2 for 20.18, and 26.1.1.1 for the 26.1 branch.
- Migrate Unsupported Versions: If running releases older than 20.9, or versions 20.10, 20.11, 20.13, 20.14, and 20.16, which have reached end-of-software maintenance, migrate to a supported and fixed release without delay.
- Preserve Forensic Evidence: Before initiating any upgrade, execute the
request admin-techcommand on all control components to ensure potential forensic evidence of compromise is preserved. - Audit Logs for Compromise: Regularly audit
/var/log/auth.logfor any entries indicatingAccepted publickey for vmanage-adminoriginating from unauthorized or suspicious IP addresses. - Check Control Connections: From the Controller/Manager CLIs, run
show control connections detailorshow control connections-history detail. Look for instances wherestate:upis present alongsidechallenge-ack: 0, which signifies that a peer was authenticated without successfully completing the challenge handshake, an indicator of this specific bypass.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.