Back to Feed
CRITICAL Vulnerability Exploit Active Vulnerability Exploit

Cisco SD-WAN Authentication Bypass (CVSS 10.0): CVE-2026-20182

Technical analysis of the critical authentication bypass in Cisco Catalyst SD-WAN Controller/Manager (CVE-2026-20182).

May 20, 2025, 4:00 AM May 20, 2025, 4:00 AM High confidence
Auth Bypass CISA KEV CVE-2026-20182 CVSS 10.0 Cisco SD-WAN

Affected ecosystems: firmware

3 Assets
5 IOCs
2 Rules
2 Sources

Executive Summary

CVE-2026-20182 is a maximum-severity (CVSS 10.0) authentication bypass vulnerability in Cisco Catalyst SD-WAN. It affects the core control-plane service, vdaemon, allowing unauthenticated attackers to hijack the SD-WAN fabric. The flaw is actively exploited and listed in the CISA KEV catalog.

Analyst Assessment

The vulnerability is a critical failure in the DTLS handshake logic. By simply claiming to be a 'vHub' (device type 2), an attacker can force the system to skip certificate validation. This is a trivial bypass with catastrophic consequences, as it allows subsequent injection of administrative credentials (SSH keys). The active exploitation status reinforces the need for immediate patching.

Impact

Successful exploitation grants unauthenticated remote attackers full administrative control over the SD-WAN fabric. Attackers can inject SSH keys into the vmanage-admin account, allowing them to intercept traffic, modify network configurations, and potentially pivot to all connected branch devices.

Exploitation Status

Actively exploited. CISA has added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog as of May 20, 2026.

Defender Guidance

Organizations must apply Cisco's security patches immediately. As an interim mitigation, restrict access to UDP port 12346 to known peer IP addresses only. Audit control connections using 'show control connections' for unauthorized vHub entries.

Technical Analysis

Attack Overview

A maximum-severity authentication bypass vulnerability (CVE-2026-20182) has been identified in the Cisco Catalyst SD-WAN Controller and Manager. With a CVSS score of 10.0, this flaw allows unauthenticated remote attackers to establish trusted control-plane connections, leading to full administrative takeover of the SD-WAN fabric. The vulnerability is currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

Step-by-Step Execution

Exploitation follows a specific sequence within the DTLS control plane:

  1. Initiation: The attacker initiates a DTLS handshake with the target Cisco SD-WAN Controller/Manager on UDP port 12346.
  2. Challenge: The target system issues an authentication challenge.
  3. Spoofing: The attacker responds with a crafted CHALLENGE_ACK packet, explicitly setting the device type field to 2 (vHub).
  4. Bypass: The vdaemon service skips certificate validation based on the device type and establishes an authenticated session.
  5. Impact: Using the established session, the attacker sends VMANAGE_TO_PEER messages to inject an SSH public key into the vmanage-admin account, granting persistent root-level access.

Code-Level Mechanics

The vulnerability resides in the vdaemon service, which listens on UDP port 12346 and manages DTLS control-plane communications between SD-WAN components.

The flaw is a fundamental logic error in the peering authentication process. During the DTLS handshake challenge-response phase, if a connecting peer identifies itself as a 'vHub' (device type 2), the service fails to perform mandatory certificate verification. This oversight allows an unauthenticated attacker to bypass the entire security handshake and establish what the system considers a "trusted" connection.

Payload Behavior

While the exact payload binary is not public, the primary payload behavior involves the transmission of a crafted CHALLENGE_ACK packet. This packet contains a specific bitmask or field identifying the device as a 'vHub'. Once the trusted session is established, the attacker utilizes the VMANAGE_TO_PEER protocol messages to manipulate the file system or configuration database, specifically targeting the SSH authorized keys of the vmanage-admin account.

Detection Opportunities

Defenders should prioritize the following telemetry and audit steps:

  • Control Connection Audit: Execute show control connections and investigate any unexpected vHub device entries or connections from unknown IP addresses.
  • Log Monitoring: Monitor system logs for unauthorized SSH key additions to the vmanage-admin account.
  • DTLS Analysis: Analyze DTLS handshake logs for unusual peering attempts or spoofed device identifiers.
  • Network Filtering: Restrict access to UDP port 12346 strictly to known, authorized peer IP addresses.

Evidence Gaps

Currently, there is no publicly available proof-of-concept (PoC) code for the packet crafting. Additionally, the specific version numbers of the vdaemon binary that first introduced this logic error are not fully documented in the public advisory, though all recent versions are assumed vulnerable until patched. The full range of VMANAGE_TO_PEER commands available to an unauthenticated peer is also not publicly enumerated.

# Detection via CLI
show control connections | match vHub

Vulnerabilities

CVE-2026-20182

Logic error in the DTLS authentication process of Cisco SD-WAN vdaemon service allows unauthenticated remote attackers to bypass certificate validation by spoofing a vHub device type.

10 CVSS

Indicators of Compromise (IOCs)

Type Indicator Example Notes
Package firmware Cisco Catalyst SD-WAN Controller Affected: All versions prior to May 2026 patch
Package firmware Cisco Catalyst SD-WAN Manager Affected: All versions prior to May 2026 patch
Package firmware Cisco Catalyst SD-WAN vBond Orchestrator Affected: All versions prior to May 2026 patch
port Other Technical Indicators UDP/12346 Control plane DTLS port used by vdaemon for peering
indicator Other Technical Indicators vHub device type 2 spoofing Exploit primitive used to bypass DTLS certificate verification

Detection Opportunities

Unauthorized SSH Key Addition to vmanage-admin

log_query 
Monitor system logs for strings like 'SSH key added' or 'authorized_keys modified' associated with the 'vmanage-admin' user account.

False positives: Legitimate administrative updates will trigger this. Filter against known maintenance windows and authorized change requests.

Control Connection Audit

network_query 
show control connections | match vHub

False positives: Will show legitimate vHub connections. Cross-reference with inventory of authorized vHub devices.

Timeline

advisory_published

Cisco and CISA publish alerts for CVE-2026-20182.

Intelligence Sources

Cisco PSIRT

Cisco Catalyst SD-WAN Authentication Bypass Vulnerability

Detailed technical advisory describing the DTLS authentication bypass in the vdaemon service on UDP port 12346.

Primary
CISA

CISA KEV Catalog - 2026-05-20 Additions

Confirmation of active exploitation of CVE-2026-20182.

Primary