CVE-2026-20182: Cisco Catalyst SD-WAN CVSS 10.0 Auth Bypass Actively Exploited

CVE-2026-20182 is a CVSS v3.1 score of 10.0 (Critical — the highest possible score on the 0–10 Common Vulnerability Scoring System scale, indicating the flaw is fully remotely exploitable with no authentication or user interaction required) authentication bypass in the Cisco Catalyst SD-WAN Controller's vdaemon service. An unauthenticated attacker on the network can forge a DTLS handshake sequence to impersonate a trusted vHub device (a type of SD-WAN hub node), gaining privileged control-plane peer status over the entire SD-WAN fabric. Cisco Talos has attributed active exploitation with high confidence to threat actor UAT-8616, four public proof-of-concept (PoC — working exploit code published publicly) exploits are available on GitHub, a Metasploit module has shipped, and CISA (U.S. Cybersecurity & Infrastructure Security Agency) added CVE-2026-20182 to its KEV (Known Exploited Vulnerabilities) catalog on May 14, 2026.

// 01 CVE-2026-20182: Technical Details

CVE-2026-20182 (a vulnerability identifier issued by MITRE's Common Vulnerabilities and Exposures program, tracked by the National Vulnerability Database) resides in the vdaemon service of the Cisco Catalyst SD-WAN Controller. The vdaemon service manages control-plane peering between SD-WAN components and listens on UDP port 12346 using DTLS (Datagram Transport Layer Security — a variant of TLS designed for UDP-based protocols used in latency-sensitive network control traffic).

The root cause is a logic flaw in the peering authentication mechanism. When a connecting peer declares itself to be a vHub device (device type 2 in the protocol), the code path responsible for certificate verification is skipped — yet the service still marks the peer as fully authenticated and advances the session to the UP state. This means an attacker with any valid TLS certificate (or even a self-signed one) can complete a DTLS handshake and obtain a trusted peer relationship.

The attack sequence proceeds as follows:

• Attacker initiates a DTLS connection to UDP port 12346 with any certificate
• Target SD-WAN Controller issues an authentication challenge
• Attacker responds with a CHALLENGE_ACK message that declares device type 2 (vHub)
• Attacker sends a Hello message, pushing the target's peer state to UP
• Attacker now has trusted control-plane peer status equivalent to a legitimate SD-WAN node

From this position, the attacker can authenticate as a high-privileged non-root account and issue NETCONF (Network Configuration Protocol — a network management protocol used to install, manipulate, and delete configurations on network devices) commands to manipulate SD-WAN fabric topology, routing policies, and device configurations across the entire WAN deployment.

Cisco's official advisory is tracked as cisco-sa-sdwan-rpa2-v69WY2SW. The Rapid7 Metasploit module (admin/networking/cisco_sdwan_vhub_auth_bypass) was authored by @sfewer-r7 and @jburgess-r7 and ships in the latest Metasploit Framework release, making reliable exploitation accessible to a wide range of attackers.

// 02 Exploitation Status and Threat Landscape

CVE-2026-20182 is actively exploited in the wild as of May 2026. Cisco Talos attributes exploitation with high confidence to UAT-8616, a sophisticated threat actor. At least 10 additional threat clusters have been linked to exploitation of related Cisco SD-WAN vulnerabilities.

Observed post-exploitation activity includes:

• Web shell deployment for persistent backdoor access
• Arbitrary bash command execution on SD-WAN Controller nodes
• SD-WAN fabric configuration manipulation
• Lateral movement into connected enterprise network segments

The MITRE ATT&CK technique most applicable here is T1190 (Exploit Public-Facing Application) — exploitation of internet-facing services to gain initial access to a network.

Four PoC exploits are publicly available on GitHub. Combined with the shipped Metasploit module, this means any attacker with basic tooling can reproduce the attack without needing to develop custom exploit code. CISA added CVE-2026-20182 to its KEV catalog on May 14, 2026 — KEV inclusion formally confirms active exploitation and triggers mandatory remediation timelines for U.S. federal agencies.

// 03 Who Is Affected

CVE-2026-20182 affects Cisco Catalyst SD-WAN Controllers across all deployment models:

• On-premises deployments
• Cloud-Pro managed cloud deployments
• FedRAMP deployments

The Cisco Catalyst SD-WAN Manager (formerly vManage) running versions 20.1.12, 19.2.1, 18.4.4, and adjacent releases within vulnerable ranges is confirmed affected. Refer to Cisco's official advisory for the complete version matrix, as the affected version range spans multiple release trains.

Cisco SD-WAN deployments are pervasive in enterprise WAN architectures, telecommunications environments, and critical infrastructure networks. Because the Controller is the central management plane for the entire SD-WAN fabric, a single compromised Controller node can give an attacker visibility into and control over all connected SD-WAN edge devices across an organization's WAN.

Organizations running Cisco Catalyst SD-WAN with internet-facing or network-accessible Controllers are at the highest immediate risk. The CISA KEV listing means Federal Civilian Executive Branch (FCEB) agencies were required to patch by May 17, 2026 — a deadline that has already passed.

// 04 What You Should Do Right Now

• Identify all Cisco Catalyst SD-WAN Controller instances in your environment — on-premises, cloud, and FedRAMP. Check running software versions against the full list in Cisco's advisory cisco-sa-sdwan-rpa2-v69WY2SW.

• Apply Cisco's patches immediately. Consult the Cisco advisory for the exact patched versions applicable to your release train. If you cannot patch within 24 hours, implement network-level controls (firewall ACLs) to restrict access to UDP port 12346 to known, trusted SD-WAN peers only.

• Restrict network access to the SD-WAN Controller management plane. If the Controller's DTLS peering port (UDP 12346) or web management interface is exposed to untrusted networks or the public internet, close that exposure now. CISA and Cisco both recommend network segmentation to limit Controller reachability.

• Hunt for indicators of compromise. Check SD-WAN Controller logs for authentication events from unexpected peer IP addresses, unexpected NETCONF sessions, newly appearing web shell files, or anomalous CLI session history. The Talos threat intelligence report details IOCs associated with UAT-8616's post-exploitation activity.

• Rotate all SD-WAN administrative credentials if you cannot confirm the Controller was not exposed during the vulnerability window. UAT-8616 activity includes credential harvesting from compromised Controllers.

• Validate your Metasploit Framework deployments — the new admin/networking/cisco_sdwan_vhub_auth_bypass module should be considered for internal red-team validation to confirm patch effectiveness in your environment.

// 05 Background: Understanding the Risk

SD-WAN (Software-Defined Wide Area Network) controllers are among the most sensitive components in enterprise network architecture. They function as the central command plane for geographically distributed network fabric — a successful compromise is equivalent to an attacker gaining control of the organization's WAN backbone from a single pivot point.

Authentication bypass vulnerabilities at CVSS 10.0 are rare because they combine the worst-case values across all scoring dimensions: network attack vector, no complexity, no required privileges, no user interaction, and full impact on confidentiality, integrity, and availability. CVE-2026-20182 achieves this maximum score because the exploit requires only network access — no credentials, no user clicks, and no special network position beyond being able to reach UDP port 12346.

Cisco SD-WAN products have been a repeated target for sophisticated threat actors over the past several years. Previous notable CVEs in the same product family include critical authentication and authorization flaws in the vManage interface. The recurrence of critical vulnerabilities in SD-WAN controllers reflects the difficulty of securing complex, distributed network management systems that must maintain high availability while supporting flexible peer-to-peer communication.

The shift to Metasploit-accessible exploitation significantly expands the threat actor pool. Previously, exploiting SD-WAN controller flaws required custom tooling and deep protocol knowledge. With a working Metasploit module and four public PoCs, exploitation is now within reach of less-sophisticated actors — including ransomware affiliates who frequently leverage published vulnerability tooling for initial access.

CISA's KEV listing and the active attribution to UAT-8616 should be read as a signal that this is not a theoretical risk: real SD-WAN deployments are being compromised today.

// 06 Conclusion

CVE-2026-20182 is a maximum-severity, actively exploited authentication bypass in Cisco Catalyst SD-WAN Controllers. Any organization running an affected Controller version must treat this as an immediate emergency: apply Cisco's patches, restrict network access to the Controller's peering port, and conduct a compromise assessment if the Controller was exposed at any point after the vulnerability became public. The combination of CISA KEV status, active Talos-attributed exploitation, and a public Metasploit module means that unpatched Controllers reachable from untrusted networks should be treated as already compromised until proven otherwise.