[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftgf5DjMnsEoyLsaPlbgfXdAfWjEOdK4M98J5CtMFXNU":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"054756ad-ab67-40ea-b43a-b0e51f79f2c0","Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access","cisco-catalyst-sd-wan-controller-auth-bypass-actively-exploited-to-gain-admin-ac-3e0f6f","Cisco has released updates to address a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller that it said has been exploited in limited attacks. The vulnerability, tracked as CVE-2026-20182, carries a CVSS score of 10.0. \"A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly","Cisco released updates for CVE-2026-20182, a CVSS 10.0 authentication bypass in Catalyst SD-WAN Controller and Manager that allows unauthenticated remote attackers to gain administrative privileges. The flaw, discovered by Rapid7, affects the vdaemon service over DTLS and has been actively exploited in limited attacks since May 2026. Successful exploitation enables attackers to manipulate SD-WAN fabric network configuration via NETCONF access.","Cisco patches critical auth bypass in Catalyst SD-WAN Controller actively exploited for admin access.","Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access Ravie LakshmananMay 14, 2026Vulnerability \u002F Network Security Cisco has released updates to address a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller that it said has been exploited in limited attacks. The vulnerability, tracked as CVE-2026-20182, carries a CVSS score of 10.0. \"A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system,\" Cisco said. The networking equipment major said the flaw stems from a malfunction of the peering authentication mechanism, which an attacker could exploit by sending crafted requests to the affected system. A successful exploit could permit the attacker to log in to the Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account, and then weaponize it to access NETCONF and manipulate network configuration for the SD-WAN fabric.. The vulnerability impacts the following deployments - On-Prem Deployment Cisco SD-WAN Cloud-Pro Cisco SD-WAN Cloud (Cisco Managed) Cisco SD-WAN for Government (FedRAMP) According to Rapid7, which discovered CVE-2026-20182, the shortcoming has its echoes in CVE-2026-20127 (CVSS score: 10.0), another critical authentication bypass impacting the same component. The latter is said to have been exploited by a threat actor called UAT-8616 since at least 2023. \"This new authentication bypass vulnerability affects the 'vdaemon' service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026-20127,\" Rapid7 researchers Jonah Burgess and Stephen Fewer said. \"The new vulnerability is not a patch bypass of CVE-2026-20127. It is a different issue located in a similar part of the 'vdaemon' networking stack.\" That said, the end result is the same: a remote unauthenticated attacker can abuse CVE-2026-20182 to become an authenticated peer of the target appliance and carry out privileged operations. Cisco, in its advisory, noted that it became aware of \"limited exploitation\" of the flaw in May 2026, urging customers to apply the latest updates as soon as possible. The company also said Catalyst SD-WAN Controller systems that are accessible over the internet and that have ports exposed are at increased risk of compromise. It's recommending customers to audit the \"\u002Fvar\u002Flog\u002Fauth.log\" file for entries related to Accepted publickey for vmanage-admin from unknown or unauthorized IP addresses. Another indicator is the presence of suspicious peering events in the logs, including unauthorized peer connections that occur at unexpected times and originate from unrecognized IP addresses, or involve device types that are inconsistent with the environment's architecture. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Authentication bypass, cisco, cybersecurity, NETCONF, network security, Patch Management, rapid7, Vulnerability ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fcisco-catalyst-sd-wan-controller-auth.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEh9rok1ToP_K0gWug0GnICltZkvx6bMRyhHfTJG1AcSfrGpM_fOVc61O3Fpyen_IW-wpb4s6Hl3qZcU5nEs77SMWSpKNDR4rrlY2syVVSNEBrpHx8RkWmYaN9MZORNICc8LNhuNjXqqhxmy7JN-y389oyQnAAFoBMJC1NoQSQFaOZ2MnrpKQRfv_eYXIoWI\u002Fs1600\u002Fcisco-exploit.jpg","2026-05-14T17:45:20+00:00","2026-05-14T20:00:16.635207+00:00",9,[18,21,24,26,29,31],{"name":19,"type":20},"Cisco","vendor",{"name":22,"type":23},"Catalyst SD-WAN Controller","product",{"name":25,"type":23},"Catalyst SD-WAN Manager",{"name":27,"type":28},"DTLS","technology",{"name":30,"type":28},"NETCONF",{"name":32,"type":20},"Rapid7","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":33,"icon":35,"name":36,"slug":37},null,"Vulnerabilities","vulnerabilities",[39],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",[45,49],{"type":46,"value":47,"context":48},"cve","CVE-2026-20182","Critical authentication bypass in Cisco Catalyst SD-WAN Controller, CVSS 10.0, actively exploited",{"type":46,"value":50,"context":51},"CVE-2026-20127","Prior critical auth bypass in same vdaemon service, exploited by UAT-8616 since 2023"]