Cisco has disclosed a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller, formerly vSmart, and Cisco Catalyst SD-WAN Manager, formerly vManage. The vulnerability, tracked as CVE-2026-20182, has a CVSS score of 10.0 and is being actively exploited in the wild.
The flaw allows an unauthenticated remote attacker to bypass peering authentication and obtain administrative access to affected SD-WAN systems. Successful exploitation can allow an attacker to access NETCONF and manipulate SD-WAN fabric configuration, making this a high-impact vulnerability for organizations relying on Cisco SD-WAN infrastructure.
Cisco Talos has attributed observed exploitation activity to UAT-8616, a sophisticated threat cluster previously associated with exploitation of Cisco SD-WAN infrastructure. Talos reported that post-compromise activity included attempts to add SSH keys, modify NETCONF configurations, and escalate privileges.
Technical Details
CVE-2026-20182 affects the vdaemon service over DTLS on UDP port 12346, which is used for SD-WAN control-plane peering. Rapid7’s analysis found that the vulnerability allows a remote unauthenticated attacker to become an authenticated peer of the target appliance. From there, an attacker may perform privileged operations, including injecting attacker-controlled SSH keys into the vmanage-admin user’s authorized keys file and accessing NETCONF over SSH on TCP port 830.
This is especially significant because Cisco Catalyst SD-WAN Controller acts as part of the central control plane. Compromise of this layer can affect the routing and management logic of the SD-WAN environment rather than just a single endpoint or application.
Affected Products
The vulnerability affects:
- Cisco Catalyst SD-WAN Controller
- Cisco Catalyst SD-WAN Manager
Reported affected deployment types include on-premises deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud, and Cisco SD-WAN for Government. Public reporting also indicates that the issue affects supported SD-WAN release branches including 20.9, 20.10, 20.11, 20.12, 20.13, 20.14, 20.15, 20.16, 20.18, and 26.1.
Exploitation Status
This vulnerability is under active exploitation. CISA added CVE-2026-20182 to its Known Exploited Vulnerabilities catalog on May 14, 2026, and tied remediation guidance to Emergency Directive 26-03 for Cisco SD-WAN systems.
The exploitation risk is elevated because Cisco SD-WAN has recently been the target of multiple related vulnerability exploitation chains. Tenable notes that CVE-2026-20182 is part of a broader Cisco SD-WAN exploitation context involving several vulnerabilities, including CVE-2026-20127, CVE-2026-20133, CVE-2026-20128, CVE-2026-20122, and CVE-2022-20775.
Recommended Actions
Organizations using Cisco Catalyst SD-WAN should take immediate action:
- Apply Cisco’s fixed software releases immediately. Cisco has released updates for affected versions, and Rapid7 notes that there are no workarounds that fully address CVE-2026-20182.
- Review SD-WAN exposure. Ensure Cisco SD-WAN Controller and Manager interfaces are not exposed to untrusted networks. Restrict access to known administrative networks and approved SD-WAN peers only.
- Hunt for unauthorized access. Review authentication logs for unexpected public key authentication involving the vmanage-admin account, especially from unknown or unauthorized IP addresses. Tenable also recommends checking control connection details for suspicious peering activity, including connections with state:up and challenge-ack: 0.
- Inspect for persistence and tampering. Review /home/vmanage-admin/.ssh/authorized_keys, SSH configuration changes, unexpected software downgrades or reboots, newly created accounts, and signs of log clearing.
Stay Safe. Stay Secure
OP Innovate Research Team
