[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyfCs5f_cxyJYYIduZruA8rQ835D0vuuuTyZ8MnSF7VQ":3},{"article":4,"iocs":52},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"8d0e4671-1c5a-4ed6-b505-1679ba909603","CVE-2026-20182: Critical Cisco SD-WAN Auth Bypass Under Active Exploitation","cve-2026-20182-critical-cisco-sd-wan-auth-bypass-under-active-exploitation-e9fd55","Cisco has disclosed and patched CVE-2026-20182, a maximum-severity authentication bypass affecting Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager.","CVE-2026-20182 is a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager that allows unauthenticated remote attackers to bypass peering authentication and gain privileged access to the SD-WAN control plane. The vulnerability affects the vdaemon service over DTLS on UDP port 12346 and has been exploited in the wild. Cisco has published fixed releases across multiple product versions, with no workarounds available; immediate patching is required.","Cisco SD-WAN Controller\u002FManager CVE-2026-20182 critical auth bypass under active exploitation","Executive summary CVE-2026-20182 is not a routine patch-cycle issue. It sits in the SD-WAN control plane, where trust relationships, routing decisions, and fabric-wide configuration are managed. A successful attacker does not need valid credentials; instead, crafted requests can bypass peering authentication and lead to privileged access. What attackers get Access as a high-privilege internal non-root account, with potential NETCONF access. Why it matters NETCONF access can allow manipulation of SD-WAN fabric configuration. Who is affected Cisco Catalyst SD-WAN Controller and Manager across multiple deployment types. What to do Collect evidence, review logs, and upgrade to a fixed release immediately. ! Urgency: Cisco reports limited exploitation in the wild. CISA has also listed the vulnerability in the Known Exploited Vulnerabilities catalog, making this a priority remediation item for exposed SD-WAN environments. What is CVE-2026-20182? CVE-2026-20182 is an improper authentication vulnerability in the peering authentication mechanism used by Cisco Catalyst SD-WAN Controller, formerly vSmart, and Cisco Catalyst SD-WAN Manager, formerly vManage. Cisco states that the mechanism does not work properly, allowing a remote unauthenticated attacker to send crafted requests and bypass authentication. Rapid7’s analysis describes the vulnerable area as the vdaemon service over DTLS on UDP port 12346, the SD-WAN control-plane peering channel. The end result is severe: an attacker can become an authenticated peer of the appliance and perform privileged operations. Affected products and deployment types Cisco says the vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager regardless of device configuration. Category Exposure On-premises deployment Affected Cisco SD-WAN Cloud-Pro Affected Cisco SD-WAN Cloud, Cisco managed Affected; Cisco says cloud managed release 20.15.506 addresses the issue. Cisco SD-WAN for Government, FedRAMP Affected Internet-exposed control components or environments with exposed SD-WAN control-plane ports should be treated as higher risk. Fixed releases Cisco states there are no workarounds for CVE-2026-20182. Remediation requires upgrading to a fixed software release. Cisco Catalyst SD-WAN release First fixed release Earlier than 20.9 Migrate to a fixed release 20.9 20.9.9.1 20.10 20.12.7.1 20.11 20.12.7.1 20.12 20.12.5.4, 20.12.6.2, or 20.12.7.1 20.13 20.15.5.2 20.14 20.15.5.2 20.15 20.15.4.4 or 20.15.5.2 20.16 20.18.2.2 20.18 20.18.2.2 26.1 26.1.1.1 Cisco notes that some branches have reached end of software maintenance. Organizations on end-of-maintenance releases should prioritize migration to a supported fixed release. Potential impact This vulnerability is especially serious because it targets the SD-WAN control plane, not a low-value peripheral service. A successful exploit can allow the attacker to log in as an internal high-privilege account and access NETCONF. From there, the attacker may be able to manipulate SD-WAN fabric configuration. Authentication bypass: no valid user credentials are required to begin exploitation. Privileged access: successful exploitation can produce access as a high-privilege internal account. Network-wide consequences: control-plane compromise can affect routing, trust, and fabric behavior. Active exploitation: Cisco and Talos both report exploitation activity associated with this vulnerability. Detection and investigation guidance Cisco recommends preserving potential indicators of compromise before upgrading. Specifically, administrators should collect admin-tech files from each SD-WAN control component, then upgrade as soon as possible. Review authentication logs Audit \u002Fvar\u002Flog\u002Fauth.log for suspicious public-key logins involving vmanage-admin, especially from unknown or unauthorized IP addresses. Accepted publickey for vmanage-admin from \u003Cunknown-or-unauthorized-ip> Validate control-plane peering events Review peering events against maintenance windows, known device inventory, expected peer roles, and authorized IP ranges. Pay particular attention to unexpected vmanage, vsmart, vedge, or vbond peer activity. Check control connection output Cisco advises using the following commands and checking for suspicious state: up entries with missing or abnormal challenge acknowledgement behavior: show control connections detail show control connections-history detail # For Validator: show orchestrator connections detail show orchestrator connections-history detail If the output indicates possible compromise, open a Cisco TAC case and include CVE-2026-20182 in the case title. Recommended response plan 1 Preserve evidence Collect admin-tech files from SD-WAN control components before upgrades so forensic data is not lost. 2 Review exposure Identify internet-exposed Controller and Manager systems, exposed UDP\u002F12346, and unauthorized access paths. 3 Upgrade quickly Move affected systems to Cisco’s fixed releases. There is no workaround that fully addresses this issue. 4 Audit logs Search for suspicious vmanage-admin public-key logins and unexpected control-plane peering events. 5 Validate peers Confirm every peer system IP, public IP, peer type, and timestamp against known SD-WAN topology. 6 Escalate suspected compromise Open a Cisco TAC case if indicators are found, and treat SD-WAN control-plane compromise as a high-priority incident. Why this vulnerability deserves immediate attention CVE-2026-20182 combines three high-risk traits: unauthenticated remote reachability, critical control-plane impact, and confirmed exploitation. For SD-WAN environments, control-plane integrity is foundational. If an attacker can impersonate a trusted peer or obtain privileged NETCONF access, the risk extends beyond a single appliance and into the routing fabric itself. Security teams should not wait for broad exploitation before acting. Prioritize fixed releases, reduce unnecessary exposure, and perform compromise assessment on any SD-WAN control component that has been reachable from untrusted networks.","https:\u002F\u002Fdarkwebinformer.com\u002Fcve-2026-20182-critical-cisco-sd-wan-auth-bypass-under-active-exploitation\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002F2026\u002F05\u002Fcisco_vuln.webp","2026-05-14T20:24:47+00:00","2026-05-14T21:00:10.54+00:00",9,[18,21,24,26,29],{"name":19,"type":20},"Cisco","vendor",{"name":22,"type":23},"Cisco Catalyst SD-WAN Controller","product",{"name":25,"type":23},"Cisco Catalyst SD-WAN Manager",{"name":27,"type":28},"NETCONF","technology",{"name":30,"type":28},"DTLS","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":31,"icon":33,"name":34,"slug":35},null,"Vulnerabilities","vulnerabilities",[37,42,47],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":43},{"id":44,"icon":33,"name":45,"slug":46},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":48},{"id":49,"icon":33,"name":50,"slug":51},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[53,57,61],{"type":54,"value":55,"context":56},"cve","CVE-2026-20182","Critical authentication bypass in Cisco SD-WAN control plane, actively exploited",{"type":58,"value":59,"context":60},"mitre_attack","T1190","Exploit Public-Facing Application - vdaemon DTLS peering authentication bypass",{"type":58,"value":62,"context":63},"T1556","Modify Authentication Process - bypass of peering authentication mechanism"]